From 3d23a44bb162534470974dd1209ae47e6a631a30 Mon Sep 17 00:00:00 2001 From: bill Date: Wed, 10 Sep 2025 13:27:30 -0400 Subject: [PATCH 1/3] fix `dig` to filter out warnings from email address capture --- config/action.d/xarf-login-attack.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf index f348b2c4..a0121966 100644 --- a/config/action.d/xarf-login-attack.conf +++ b/config/action.d/xarf-login-attack.conf @@ -44,7 +44,8 @@ actioncheck = actionban = oifs=${IFS}; RESOLVER_ADDR="%(addr_resolver)s" if [ "" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi - ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"') + ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | grep -v ';;' | tr -d '"') + if [ "" -gt 0 ]; then echo "returned address $ADDRESSES"; fi IFS=,; ADDRESSES=$(echo $ADDRESSES) IFS=${oifs} IP= From 85cfb8178263cf9a612a0e6996eb7095c1db27fd Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 10 Sep 2025 20:04:10 +0200 Subject: [PATCH 2/3] lets see an error (with debug messages) in debug case --- config/action.d/xarf-login-attack.conf | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf index a0121966..00da7f79 100644 --- a/config/action.d/xarf-login-attack.conf +++ b/config/action.d/xarf-login-attack.conf @@ -46,6 +46,11 @@ actionban = oifs=${IFS}; if [ "" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | grep -v ';;' | tr -d '"') if [ "" -gt 0 ]; then echo "returned address $ADDRESSES"; fi + if [ -z "$ADDRESSES" ]; then + echo "address for $RESOLVER_ADDR cannot be found or timeout from dig"; + if [ "" -gt 0 ]; then exit 1; fi + exit 0 + fi IFS=,; ADDRESSES=$(echo $ADDRESSES) IFS=${oifs} IP= @@ -56,13 +61,11 @@ actionban = oifs=${IFS}; TLP= PORT= DATE=`LC_ALL=C date --date=@