Sophie

Sophie

distrib > Mandriva > 2010.0 > i586 > media > contrib-release > by-pkgid > aabb1c6deea3aa570b1709afcf2ae273 > files > 25

sec-2.4.2-3mdv2010.0.noarch.rpm

####################################################################
#                SEC ruleset for Monitoring Keywords
####################################################################

# This particular ruleset was designed to monitor PIX syslog traffic
# and watch for keywords in URL traffic.  Starting SEC must include
# the -intevents option.
#
# Currently tested for PIX 6.x 
# 
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05

# Wait for SEC to start up or be restarted and then read in two lists
# of words.  The first being a list of words to watch for and alert on,
# the second list being a list of exclusions for a suppression rule.
#
type=Single
ptype=PerlFunc
pattern=sub { if(($_[0] eq "SEC_STARTUP") || ($_[0] eq "SEC_RESTART")) { @words=`cat /root/watch4badwords`; chomp(@words); $list=join('|', @words); @ewords=`cat /root/watch4excludes`; chomp(@ewords); $excludes=join('|', @ewords);} }
desc=$0
context=SEC_INTERNAL_EVENT
action=write - Set word list variable;

# ------------------------------------------------------------------
# Scan for certain URLs
# ------------------------------------------------------------------

# Monitor and match on keywords from the exclusions file and 
# suppress reporting on them.
#
type=Suppress
continue=dontcont
ptype=PerlFunc
pattern=sub {($_[0] =~ /($excludes)/) }

# Monitor for keywords and send an email alert
#
type=Single
ptype=PerlFunc
pattern=sub {($_[0] =~ /($list)/) }
desc=Inappropriate word in URL
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

#
# Examples of "watch4badwords" and "watch4excludes"
# 
# File should be a return delimited file.  The
# script read the file in literally and creates
# an OR statement by putting a pipe (|) between
# all of the keywords.
# 
# Be careful on what words are being monitored.
# The word virgin also finds virginia and alerts
# on it.
# 
# The following are examples of things that work:
# 
# ----> watch4badwords
#
# \bvirgin\b
# \byoung girl\b
# \b[Pp]layboy\b
# pr0n
# hardcore
#  
# ----> watch4excludes
# 
# \b10\.10\.2\.4\b
# \bcherry tree\b
# cnn.com
#

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional