On Wed, May 04, 2011 at 01:49:43AM -0700, Risto Vaarandi wrote:
> hi Ray,
>
> since %geoip is an action list variable, it can only be used in other
> action lists (which are executed after a successful pattern match).
> However, matching users not coming from particular countries should be
> done with a pattern (or pattern with a context expression, as done
> below).
> I would split the rule you have into two rules:
>
> type=Single
> ptype=RegExp
> pattern=(SEC_STARTUP|SEC_RESTART)
> context=SEC_INTERNAL_EVENT
> desc=Load GeoIP module
> action=eval %geoip ( require Geo::IP; )
>
> type=Single
> ptype=RegExp
> pattern=FTP login from ([\d.]+)
> context=$1 -> ( sub { my %valid_countries = ("IN"); \
> my $gi = Geo::IP->new(GEOIP_STANDARD); \
> my $country = $gi->country_code_by_addr($_[0]); \
> return 0 if exists $valid_countries{$country}; return 1; } )
> desc=FTP login from unexpected country
> action=write - %s
>
> You can also combine the 'pattern' and 'context' fields of the second
> rule into a single 'pattern' field with a PerlFunc pattern.
>
> Note that I haven't tested these rules since I haven't set up the
> GeoIP module on my laptop, but the rules should nevertheless convey
> the basic idea how to tackle the problem.
>
> kind regards,
> risto
Thanks Risto. This worked great. I actually also included some
NetAddr::IP calls to exclude certain CIDR ranges.
Appreciate your assistance.
Ray
>
> 2011/5/4 Ray Van Dolson <[email protected]>:
> > I'm watching FTP logs and want to trigger an email alert when a user
> > logs into a particular account from a country not in a pre-defined
> > list. I'm hoping to use the GeoIP perl module for this.
> >
> > type=Single
> > ptype=RegExp
> > pattern=(SEC_STARTUP|SEC_RESTART)
> > context=SEC_INTERNAL_EVENT
> > desc=Compile GeoIP Routines
> > action=eval %geoip ( sub { require Geo::IP; \
> > my %valid_countries = ("IN"); \
> > my $gi = Geo::IP->new(GEOIP_STANDARD); \
> > my $country = $gi->country_code_by_addr($_[0]); \
> > return 1 if exists $valid_countries{$country};} );
> >
> > (The above seems to load correctly)
> >
> > However, at this point I'm not clear how I should write my rule
> > definition. Should I write a RegExp rule, match on the string I'm
> > after (and extract the IP) then use a call action to call my function
> > above? Or can I use the PerlFunc action?
> >
> > Thanks,
> > Ray
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
