-
Notifications
You must be signed in to change notification settings - Fork 8
/
labrea.sec
36 lines (31 loc) · 1.23 KB
/
labrea.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#############################################################################
# Labrea tarpit events
#
# Copyright (C) 2003-2009 Matt Jonkman
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Initial Connect \(tarpitting\): (\d+\.\d+\.\d+\.\d+\s\d+) \-> \d+\.\d+\.\d+\.\d+\s(.*)
desc=$0
action=add TARPIT_REPORT %t: $1 New Tarpitted Connect from $2 on port $3
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Additional Activity: (\d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+ (\d+)*
#desc=$0
#action=add TARPIT_REPORT %t: %s;
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Responded to a PING: (d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+
desc=$0
action=add TARPIT_REPORT %t: PING Sweep from $@ on $3
#Send hourly tarpit report
type=Calendar
time=0 8,12,20 * * *
desc=Sending tarpit report...
action=report TARPIT_REPORT \
/usr/bin/mail -s 'Tarpits: Tarpit Victim report' [email protected]; \
delete TARPIT_REPORT