From 8720f6aacc6139f6d017ba8443b49eeab7ebf04c Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Sat, 17 Nov 2018 06:05:20 -0800 Subject: [PATCH] add IP_INFO data to email alerts, defaults to Talos --- install.pl | 3 ++- psad | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/install.pl b/install.pl index 04fc817..e16600c 100755 --- a/install.pl +++ b/install.pl @@ -864,7 +864,8 @@ () } for my $hr (\%config, \%cmds) { for my $var (keys %$hr) { - next if $var eq 'REPUTATION_FEED'; + next if $var eq 'REPUTATION_FEED' + or $var eq 'IP_INFO' or $var eq 'IP_INFO_URL'; my $val = $hr->{$var}; if ($val =~ m|\$(\w+)|) { my $sub_var = $1; diff --git a/psad b/psad index b789149..600d1c4 100755 --- a/psad +++ b/psad @@ -6182,6 +6182,13 @@ sub scan_logr() { } } + ### IP information URL + if ($config{'ENABLE_IP_INFO_URL'} eq 'Y') { + my $url = $config{'IP_INFO_URL'}; + $url =~ s/\$SRC/$src/; + printf $fh "%${log_len}s%s\n", 'IP Info: ', "'$config{'IP_INFO_LABEL'}' - '$url'"; + } + unless ($no_posf) { if (defined $p0f{$src}) { ### prefer p0f-based fingerprinting ### any p0f fingerprint that contains a "@" is an @@ -11427,6 +11434,14 @@ sub import_config() { ### handle variables that can be set multiple times if ($varname eq 'REPUTATION_FEED') { push @{$config{$varname}}, &reputation_feed_parse_conf_var($val); + } elsif ($varname eq 'IP_INFO') { + $config{$varname} = $val unless defined $config{$varname}; + if ($val =~ m|\"(.*?)\"\,(.*)|) { + $config{'IP_INFO_LABEL'} = $1; + $config{'IP_INFO_URL'} = $2; + } else { + die qq/[*] Need format "