Commit 3bc3577a authored by Cool Fire's avatar Cool Fire
Browse files

Switched parsing from block log to alert log

parent 04898eea
......@@ -4,9 +4,11 @@ require 'date'
require 'ipaddr'
# Some configuration parameters
fw_logfile = '/home/coolfire/fw_block.log'
fw_logfile = '/home/coolfire/fw_alerts.log'
f2b_logfile = '/var/log/fail2ban.log'
own_ip = ''
cc_address = ''
iplist =
......@@ -28,11 +30,16 @@ fh.each_line do |line|
# Parse out variables
chunks = line.split('[')
date = chunks[0]
ip = chunks[6].split('}')[1].split(':')
ip = chunks[5].split('}')[1].split('->')[0].split(':')
ip = ip.first ip.size - 1
ip = ip.join(':').strip
ip = ip
# Make sure we don't report ourself
if( ip == own_ip )
# Check if line from yesterday
if(date =~ /^#{fw_date}/)
......@@ -102,7 +109,7 @@ Dear #{abuse_contact},
We wish to inform we have detected an attacked from the following IP address:
At the bottom of this email you will find more details about this attack. All times listed are #{zone}.
At the bottom of this email you will find more details about this attack.
If you believe this was misclassified as an attack please contact us so we can verify this and adjust our detection.
This email was automatically generated. You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.
......@@ -111,10 +118,14 @@ Kind regards,
The Insomnia 24/7 team
Target server addresses:
Target server timezone:
Suricata hits:
......@@ -130,4 +141,3 @@ MESSAGE_END
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment