Merge pull request #493 from grooverdan/xarf-ipmatch

ENH: use ipmatches for action xarf-login-attack
2013-12-19 01:28:49 -08:00 · 2013-12-19 01:28:49 -08:00 · a1a219189f
parent 7247a6841a 4eedf9d4e1
commit a1a219189f
1 changed files with 2 additions and 3 deletions
--- a/config/action.d/xarf-login-attack.conf
+++ b/config/action.d/xarf-login-attack.conf
@ -43,7 +43,7 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP} ;ADDRESSES=$(di
            FROM=<sender>
            SERVICE=<service>
            FAILURES=<failures>
-            MATCHES=<matches>
+            MATCHES='<matches>'
            REPORTID=<time>@`uname -n`
            TLP=<tlp>
            PORT=<port>
@ -51,8 +51,7 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP} ;ADDRESSES=$(di
            if [ ! -z "$ADDRESSES" ]; then
                (printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
                 date '+Note: Local timezone is %%z (%%Z)';
-                 tail -n <loglines> <logpath> | grep '[^0-9]<ip>[^0-9]';
-                 printf -- %%b "<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
+                 printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
            fi

 actionunban =