#############################################################################
# Labrea tarpit events
#
# Copyright (C) 2003-2009 Matt Jonkman
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################

type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Initial Connect \(tarpitting\): (\d+\.\d+\.\d+\.\d+\s\d+) \-> \d+\.\d+\.\d+\.\d+\s(.*)
desc=$0
action=add TARPIT_REPORT %t: $1 New Tarpitted Connect from $2 on port $3

#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Additional Activity: (\d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+ (\d+)*
#desc=$0
#action=add TARPIT_REPORT %t: %s;
#

type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Responded to a PING: (d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+
desc=$0
action=add TARPIT_REPORT %t: PING Sweep from $@ on $3

#Send hourly tarpit report

type=Calendar
time=0 8,12,20 * * *
desc=Sending tarpit report...
action=report TARPIT_REPORT \
       /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts@example.com; \
       delete TARPIT_REPORT