Michael Schaap wrote:
John Rudd wrote:
It would be great if Botnet could do something similar, like:
2.0 BOTNET The submitting mail server looks like
part of a Botnet
[ip=12.34.56.789 rdns=dhcp12.34.example.org]
Any tips on how to do that? :-}
Well, I had a look, and the good news: it's rather simple to add such a
line: just use something like:
$pms->test_log("ip=$ip, rdns=$rdns");
The bad news, of course, is that BOTNET is a meta rule, so you can't do
this for that rule. You can still do so for the individual rules, but
as those are going away, that won't help much...
Hm. They're not going away, as much as they're not going to show up in
the test list anymore. But that might be, for this purpose, the same
thing. I'll see how I might be able to handle that.
(ideally, a Meta rule would take the test logs for its non-visible
sub-rules, and display them with itself)
If I can't make anything reasonable happen there, then maybe I'll have
to choose one of:
1) keep the rules around as visible rules
2) go back to the original style I had of one rule that has config
options for turning the different tests on/off. Then it would state in
its log what the IP address was, what RDNS it found, and which rules
were triggered.
3) some hybrid: BOTNET becomes a rule like #2, but the individual rules
stick around ... just with a score of 0. Then you can pick between
calling one big rule, or disabling the big rule and only calling the
piece-meal rules.
