Commit f3f9a538 authored by Cool Fire (HN)'s avatar Cool Fire (HN)

first trail

parent b8146431
#!/usr/bin/env ruby
require 'date'
require 'net/smtp'
# Some configuration parameters
sender = 'noc@insomnia247.nl'
smtp_server = '127.0.0.1'
fw_logfile = '/home/coolfire/fw_block.log'
f2b_logfile = '/var/log/fail2ban.log'
......@@ -33,7 +37,7 @@ fh.each_line do |line|
if(date =~ /^#{fw_date}/)
# Check if we have this IP in the list already
if(!iplist.contains?(ip))
if(!iplist.include?(ip))
iplist.push(ip)
end
end
......@@ -59,7 +63,7 @@ fh.each_line do |line|
if(date =~ /^#{f2b_date}/)
# Check if we have this IP in the list already
if(!iplist.contains?(ip))
if(!iplist.include?(ip))
iplist.push(ip)
end
end
......@@ -68,4 +72,54 @@ end
fh.close
# Process list of agragated IP addresses
iplist.each do |ip|
if(!ip.nil?)
# Build DNS request
quads = ip.split('.')
dns_req = "#{quads[3]}.#{quads[2]}.#{quads[1]}.#{quads[0]}.abuse-contacts.abusix.org"
# Request abuse contact address from abusix.org
abuse_contact = %x(dig -t TXT +short #{dns_req}).gsub!(/"/, '')
# Check if we have in fact receive an abuse contact
if(!abuse_contact.nil? && abuse_contact != "")
# Gather details about the IP
# From suricata
fw_details = %x(grep #{ip} #{fw_logfile} | grep #{fw_date})
# From Fail2ban
f2b_details = %x(grep #{ip} #{f2b_logfile} | grep #{f2b_date})
# Build mail body
mail = %{
From: #{sender}
To: #{abuse_contact}
Subject: Abuse from #{ip}
Dear sir/madam,
We wish to inform we have been attacked from the following IP address:
#{ip}
At the bottom of this email you will find more details about this attack.
You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.
Kind regards,
The Insomnia 24/7 team
Suricata hits:
#{fw_details}
Fail2ban hits:
#{f2b_details}
}
# Send out mail
Net::SMTP.start(smtp_server) do |smtp|
smtp.send_message mail, semder, abuse_contact
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment