Closed dvianello closed 10 years ago
katkad
commented
10 years ago hello,
both file change and honeypot mail sending is done by warn_the_good_guys procedure so it should behave the same. but i am probably missing something :) do you use the current git checkout ?
i dont understant why these are global variables https://github.com/trustedsec/artillery/blob/master/src/core.py#L382 when only mail subroutine uses them
slow banning: probably because of the big amount of rules in iptables
dvianello
commented
10 years ago katkad, thank you for your help.
Yes, I'm using the current git checkout.
Slow banning: no iptables rules are set beyond those defined by artillery itself!
trustedsec
commented
10 years ago When reading in the threat intelligence feed, if you are spamming iptables, it gets angry - that's why the delay is in there. I can probably write different logic in if its an active IP vs. intelligence feeds.
As for the global variables, thats just a bad - should all reside in mail(). Fixed in the latest release, thanks for pointing out.
Not sure why you would be getting inconsistencies on warn_the_good_guys when using monitor vs. ip bans, monitor.py contains the main codebase vs. honeypot which contains the IP ban, both are identical.
Hi everyone,
when artillery detects a file change the email alert arrives perfectly, however, when it bans an ip for connection to a honeypot port the sending fails with the error:
Jun 25 10:43:33 immuno-security [!] Error, Artillery was unable to log into the mail server Jun 25 10:43:33 immuno-security [!] message repeated 111 times: [ Error, Artillery was unable to log into the mail server]
Also, as a side question: the banning is quite slow, usually happening 30 sec/1 minute after the port is touched. Is this normal? It is normal that the syslog is full of duplicated messages for the same ip & port?
Thank you!