- Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in

whois data (which is common with whois lookups against Chinese IP
addresses for example) with the string "NA".  This option is disabled by
default, but can be useful if errors like the following are seen upon



git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2296 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

CREDITS

@@ -441,3 +441,13 @@ Dan A. Dickey
       iproute2 does not.  So, for a multi-homed interface (eth0 with multiple
       addresses), ifconfig -a only shows the first one configured and not the
       rest.  ip addr shows all of the configured addresses...".
+
+Graham Murray
+    - Reported a bug where 8-bit data included in some whois output causes mail
+      delivery problems with the following error:
+
+        <<< 554 5.6.1 Eight bit data not allowed
+        554 5.0.0 Service unavailable
+
+      The fix for this problem was the addition of the ENABLE_WHOIS_FORCE_ASCII
+      functionality.

ChangeLog

@@ -1,11 +1,19 @@
-psad-2.1.7 (07/11/2010):
+psad-2.1.7 (07/14/2010):
     - (Dan A. Dickey) Added the ability to use the "ip" command from the
       iproute2 tools to acquire IP addresses from local interfaces.  Dan's
       description is as follows: "...A main reason for doing this is in the
       case of multi-homed hosts. ifconfig sets these up on an interface using
       aliases, iproute2 does not.  So, for a multi-homed interface (eth0 with
       multiple addresses), ifconfig -a only shows the first one configured and
       not the rest.  ip addr shows all of the configured addresses...".
+    - Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in
+      whois data (which is common with whois lookups against Chinese IP
+      addresses for example) with the string "NA".  This option is disabled by
+      default, but can be useful if errors like the following are seen upon
+      receiving an email alert from psad:
+
+        <<< 554 5.6.1 Eight bit data not allowed
+        554 5.0.0 Service unavailable
 
 psad-2.1.6 (07/09/2010):
     - Bug fix for Decode_Month() calls used to handle date formats and ensure

psad

@@ -6560,6 +6560,13 @@ sub get_whois_info() {
         die "[*] Could not open $whois_datafile: $!";
     @whois_data = <W>;
     close W;
+
+    if ($config{'ENABLE_WHOIS_FORCE_ASCII'} eq 'Y') {
+        for my $line (@whois_data) {
+            $line =~ s/[^\x20-\x7e]/NA/g;
+        }
+    }
+
     return \@whois_data;
 }
 
@@ -9952,7 +9959,7 @@ sub required_vars() {
         PSADWATCHD_CHECK_INTERVAL PSADWATCHD_MAX_RETRIES SYSLOG_IDENTITY
         SYSLOG_FACILITY SYSLOG_PRIORITY ENABLE_EMAIL_LIMIT_PER_DST
         ENABLE_SYSLOG_FILE IPT_SYSLOG_FILE IPT_WRITE_FWDATA
-        ETC_RSYSLOG_CONF IFCFGTYPE
+        ETC_RSYSLOG_CONF IFCFGTYPE ENABLE_WHOIS_FORCE_ASCII
     );
     &defined_vars(\@required_vars);
     return;

psad.conf

@@ -375,6 +375,12 @@ WHOIS_TIMEOUT               60;  ### seconds
 ### lookup is issued.
 WHOIS_LOOKUP_THRESHOLD      20;
 
+### Use this option to force all whois information to contain ascii-only data.
+### Sometime whois information for IP addresses in China and other countries
+### can contain non-ascii data.  If this option is enabled, then any non-
+### ascii characters will be replaced with "NA".
+ENABLE_WHOIS_FORCE_ASCII    N;
+
 ### Set the number of times an ip can be seen before another dns
 ### lookup is issued.
 DNS_LOOKUP_THRESHOLD        20;