You could also use Sagan to trigger on the event, extract the information (via liblognorm) and pass it to a external plug in (which fires iptables). Pretty straight forward. I plan on having snortsam integration into Sagan soon as well.
On Nov 25, 2011, at 6:50 PM, Marc Schiffbauer wrote: > ----- Ursprüngliche Mail ----- >> Am 25.11.2011 22:10, schrieb Rainer Gerhards: >>>> -----Original Message----- >>>> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- >>>> boun...@lists.adiscon.com] On Behalf Of Robert Schetterer >>>> Sent: Friday, November 25, 2011 9:01 PM >>>> To: rsyslog-users >>>> Subject: [rsyslog] mail log ip filter spamhaus rsyslog >>>> >>>> Hi @ll, >>>> i am new to this list >>>> and not very familar with rsyslog so sorry if my question was >>>> asked/answered before >>>> >>>> i wanna goal, filtering spamhaus rbl ips from postfix mail log >>>> i allready done >>>> ( on suse ) >>>> >>>> mail.info >>>> -/var/log/mail.info;RSYSLOG_TraditionalFileFormat >>>> if $msg contains 'blocked using zen.spamhaus.org' then >>>> /var/log/spamhaus.log;RSYSLOG_TraditionalFileFormat >>>> >>>> this works fine, but as i have a lot of spambots >>>> fail2ban ist to slow with this allready filtered log >>>> >>>> so i wann have a second or combinated rsyslog rule which results >>>> only in the ip >>>> >>>> a relevant log entry example looks like this >>>> >>>> postfix/postscreen[32120]: NOQUEUE: reject: RCPT from >>>> [190.24.212.146]:57855: 550 5.7.1 Service unavailable; client >>>> [190.24.212.146] blocked using zen.spamhaus.org; >>>> from=<some...@somewhere.de>, to=<some...@somwhere.de>, >>>> proto=ESMTP, >>>> helo=<MCRISTALCRE> >>>> >>>> the plan would be , set the ip output to i.e fifo pipe >>>> and read the output via some daemon script/program to create an >>>> iptables >>>> ip reject rule with timestamp via ipset map, which expires auto >>>> after >>>> 24 >>>> h, this should fast as possible >>>> >>>> so anybody with an example for filtering this ? >>>> >>>> by the way >>>> someone speculated rsyslog may able to do the whole job >>>> filtering ip and do the ipset action in one step , is this true ? >>>> i am not that far in the docs yet >>> >>> I have to admit that I do not fully understand your question. But >>> it has been >>> a long and busy day today ;) Could you try to describe in two or >>> three >>> sentences what you actually want to achieve? >> >> ok >> >> this is a exmaple from the mail log >> >> postfix/postscreen[32120]: NOQUEUE: reject: RCPT from >> [190.24.212.146]:57855: 550 5.7.1 Service unavailable; client >> >> ( this is the relevant match part ) >> [190.24.212.146] blocked using zen.spamhaus.org; >> >> >> from=<some...@somewhere.de>, to=<some...@somwhere.de>, proto=ESMTP, >> helo=<MCRISTALCRE> >> >> i wann have filtered 190.24.212.146 only by rsyslog >> and do this >> echo +190.24.212.146 > /proc/net/xt_recent/SMTP >> >> if possible directly all done from rsyslog >> >> if not ,its enough to pipe fifo 190.24.212.146 only >> i will script some daemon reading the fifo then >> >> but as someother answered i think rsyslog could do it in one step >> >> clear now? > > Hi Robert, > > maybe something like that would work (untested): > > $template MyTemplate,"+%msg:R,ERE,1,BLANK:.*\[([0-9.]+)\].*--end%" > if $msg contains 'blocked using zen.spamhaus.org' \ > then /proc/net/xt_recent/SMTP;MyTemplate > > -Marc > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > Champ Clark III (office) 904.253.7856 (mobile) 850.443.2440 (SOC) 800.538.9357 ext 101 ccl...@quadrantsec.com www.quadrantsec.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
