SyslogScan::Daemon::BlacklistDetector::EmailNotify - send email when blacklisted

SyslgScnDamn-Blacklist documentation Contained in the SyslgScnDamn-Blacklist distribution.

Index

Code Index:

NAME

Top

 SyslogScan::Daemon::BlacklistDetector::EmailNotify - send email when blacklisted

SYNOPSIS

Top

 bld_plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify
	debug		0
	notify		your@email.here
	renotify_time	7200
	forget_time	3600
	sendfrom	root
	clean_time	1800
	maxkeep		100

DESCRIPTION

Top

SyslogScan::Daemon::BlacklistDetector::EmailNotify sends email when SyslogScan::Daemon::BlacklistDetector detects blacklisting.

SyslogScan::Daemon::BlacklistDetector is a plugin for SyslogScan::Daemon::BlacklistDetector. The SYNOPSIS shows the configuration lines you might use in /etc/syslogscand.conf to turn on the email notification.

CONFIGURATION PARAMETERS

Top

SyslogScan::Daemon::BlacklistDetector::EmailNotify defines the following configuration parameters which may be given in indented lines that follow plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify or with the confuration prefix (blden_) anywhere in the configuration file after the plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify line.

debug

(default 0) Turn on debugging.

notify

(default root) Where should the notifications be sent?

sendfrom

(default root) What email address should notifications be sent from?

renotify_time

(default 7200) Seconds. How often should an additional email be sent regarding the same destination. Before the time is up, extra notifications will be queued.

forget_time

(default 3600) Seconds. How long should unsent notifications be kept.

maxkeep

(default 100) How many unsent notifcations can be queued regarding the same destination?

clean_time

(default 1800) Seconds. How often should the unsent notication queue be cleaned of extra entries?

SEE ALSO

Top

The context for the blacklist detector: SyslogScan::Daemon::BlacklistDetector

LICENSE

Top

Copyright (C) 2006, David Muir Sharnoff <muir@idiom.com>

This module may be used and copied on the same terms as Perl itself.

SyslgScnDamn-Blacklist documentation Contained in the SyslgScnDamn-Blacklist distribution. 
package SyslogScan::Daemon::BlacklistDetector::EmailNotify;

use strict;
use warnings;
use SyslogScan::Daemon::BlacklistDetector::Plugin;
use Mail::SendVarious;
use Plugins::SimpleConfig;

our(@ISA) = qw(SyslogScan::Daemon::BlacklistDetector::Plugin);

my %defaults = (
	notify		=> 'root',
	renotify_time	=> 7200,
	forget_time	=> 3600,
	maxkeep		=> 100,
	sendfrom	=> 'root',
	clean_time	=> 1800,
	debug		=> 0,
);

sub config_prefix { return 'blden_' }

sub parse_config_line { simple_config_line(\%defaults, @_); }

sub new 
{ 	
	my $self = simple_new(\%defaults, @_); 
	$self->{last_clean} = 0;
	return $self;
}

my %notified;
my %found;

sub blacklisted
{
	my ($self, %info) = @_;

	my $sourceip	= $info{sourceip};
	my $destdomain	= $info{destdomain};

	my $renotify_time	= $self->{renotify_time};
	my $debug		= $self->{debug};
	my $notify		= $self->{notify};
	my $sendfrom		= $self->{sendfrom};

	push(@{$found{$sourceip}{$destdomain}}, {
		time	=> time(),
		source	=> $sourceip,
		dest	=> $destdomain,
		line	=> $info{logline},
	});

	if ($notified{$sourceip}{$destdomain} 
		&& (time - $notified{$sourceip}{$destdomain} < $renotify_time)) 
	{
		print STDERR "Not yet time to re-notify\n" if $debug;
		return;
	}

	$self->clean_found();

	my $body = '';

	$notified{$sourceip}{$destdomain} = time;
	$body .= "----------------- $sourceip to $destdomain -------------------\n";
	while (my $br = pop(@{$found{$sourceip}{$destdomain}})) {
		$body .= $br->{line};
	}
	delete $found{$sourceip}{$destdomain};
	delete $found{$sourceip} unless %{$found{$sourceip}};
	for my $source (keys %found) {
		for my $dest (keys %{$found{$source}}) {
			$notified{$source}{$dest} = time;
			$body .= "\n\n----------------- $source to $dest -------------------\n";
			while (my $br2 = pop(@{$found{$source}{$dest}})) {
				$body .= $br2->{line};
			}
		}
	}

	print STDERR "Sending notification to $notify: $destdomain\n$body\n" if $debug >= 2;
	sendmail(
		From	=> "\u$0",
		from	=> $sendfrom,
		to	=> $notify,
		subject	=> "We are blackholed by $destdomain\n",
		body	=> $body,
	);
}

sub clean_found
{
	my $self = shift;
	my $forget_time		= $self->{forget_time};
	my $debug		= $self->{debug};

	for my $source (keys %found) {
		for my $dest (keys %{$found{$source}}) {
			pop(@{$found{$source}{$dest}}) while 
				@{$found{$source}{$dest}}
				&& 
				(
					(time - $found{$source}{$dest}[0]{time} >= $forget_time)
					|| 
					@{$found{$source}{$dest}} > $self->{maxkeep}
				);
			delete $found{$source}{$dest}
				unless @{$found{$source}{$dest}};
		}
		delete $found{$source}
			unless %{$found{$source}};
	}
}

my $last_clean = 0;

sub periodic
{
	my $self = shift;
	my $debug = $self->{debug};
	if ($self->{last_clean} + $self->{clean_time} < time) {
		printf "%s periodic running\n", __PACKAGE__ if $debug;
		$self->clean_found();
		$self->{last_clean} = time;
	}
}

1;