lib/SyslogScan/Daemon/BlacklistDetector/EmailNotify.pm


package SyslogScan::Daemon::BlacklistDetector::EmailNotify;

use strict;
use warnings;
use SyslogScan::Daemon::BlacklistDetector::Plugin;
use Mail::SendVarious;
use Plugins::SimpleConfig;

our(@ISA) = qw(SyslogScan::Daemon::BlacklistDetector::Plugin);

my %defaults = (
	notify		=> 'root',
	renotify_time	=> 7200,
	forget_time	=> 3600,
	maxkeep		=> 100,
	sendfrom	=> 'root',
	clean_time	=> 1800,
	debug		=> 0,
);

sub config_prefix { return 'blden_' }

sub parse_config_line { simple_config_line(\%defaults, @_); }

sub new 
{ 	
	my $self = simple_new(\%defaults, @_); 
	$self->{last_clean} = 0;
	return $self;
}

my %notified;
my %found;

sub blacklisted
{
	my ($self, %info) = @_;

	my $sourceip	= $info{sourceip};
	my $destdomain	= $info{destdomain};

	my $renotify_time	= $self->{renotify_time};
	my $debug		= $self->{debug};
	my $notify		= $self->{notify};
	my $sendfrom		= $self->{sendfrom};

	push(@{$found{$sourceip}{$destdomain}}, {
		time	=> time(),
		source	=> $sourceip,
		dest	=> $destdomain,
		line	=> $info{logline},
	});

	if ($notified{$sourceip}{$destdomain} 
		&& (time - $notified{$sourceip}{$destdomain} < $renotify_time)) 
	{
		print STDERR "Not yet time to re-notify\n" if $debug;
		return;
	}

	$self->clean_found();

	my $body = '';

	$notified{$sourceip}{$destdomain} = time;
	$body .= "----------------- $sourceip to $destdomain -------------------\n";
	while (my $br = pop(@{$found{$sourceip}{$destdomain}})) {
		$body .= $br->{line};
	}
	delete $found{$sourceip}{$destdomain};
	delete $found{$sourceip} unless %{$found{$sourceip}};
	for my $source (keys %found) {
		for my $dest (keys %{$found{$source}}) {
			$notified{$source}{$dest} = time;
			$body .= "\n\n----------------- $source to $dest -------------------\n";
			while (my $br2 = pop(@{$found{$source}{$dest}})) {
				$body .= $br2->{line};
			}
		}
	}

	print STDERR "Sending notification to $notify: $destdomain\n$body\n" if $debug >= 2;
	sendmail(
		From	=> "\u$0",
		from	=> $sendfrom,
		to	=> $notify,
		subject	=> "We are blackholed by $destdomain\n",
		body	=> $body,
	);
}

sub clean_found
{
	my $self = shift;
	my $forget_time		= $self->{forget_time};
	my $debug		= $self->{debug};

	for my $source (keys %found) {
		for my $dest (keys %{$found{$source}}) {
			pop(@{$found{$source}{$dest}}) while 
				@{$found{$source}{$dest}}
				&& 
				(
					(time - $found{$source}{$dest}[0]{time} >= $forget_time)
					|| 
					@{$found{$source}{$dest}} > $self->{maxkeep}
				);
			delete $found{$source}{$dest}
				unless @{$found{$source}{$dest}};
		}
		delete $found{$source}
			unless %{$found{$source}};
	}
}

my $last_clean = 0;

sub periodic
{
	my $self = shift;
	my $debug = $self->{debug};
	if ($self->{last_clean} + $self->{clean_time} < time) {
		printf "%s periodic running\n", __PACKAGE__ if $debug;
		$self->clean_found();
		$self->{last_clean} = time;
	}
}

1;

=head1 NAME

 SyslogScan::Daemon::BlacklistDetector::EmailNotify - send email when blacklisted

=head1 SYNOPSIS

 bld_plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify
	debug		0
	notify		your@email.here
	renotify_time	7200
	forget_time	3600
	sendfrom	root
	clean_time	1800
	maxkeep		100

=head1 DESCRIPTION

SyslogScan::Daemon::BlacklistDetector::EmailNotify 
sends email when SyslogScan::Daemon::BlacklistDetector
detects blacklisting.

SyslogScan::Daemon::BlacklistDetector is a plugin for
L<SyslogScan::Daemon::BlacklistDetector>.  
The SYNOPSIS shows the configuration
lines you might use in C</etc/syslogscand.conf> to turn on
the email notification.

=head1 CONFIGURATION PARAMETERS

SyslogScan::Daemon::BlacklistDetector::EmailNotify defines the following configuration
parameters which may be given in indented lines that follow
C<plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify> or with the
confuration prefix (C<blden_>) anywhere in the configuration file after the 
C<plugin SyslogScan::Daemon::BlacklistDetector::EmailNotify> line.

=over 15

=item debug

(default 0) Turn on debugging.

=item notify

(default C<root>) Where should the notifications be sent?

=item sendfrom

(default C<root>) What email address should notifications be 
sent from?

=item renotify_time

(default 7200) Seconds.  How often should an additional email
be sent regarding the same destination.  Before the time is up,
extra notifications will be queued.

=item forget_time

(default 3600) Seconds.  How long should unsent notifications
be kept. 

=item maxkeep

(default 100) How many unsent notifcations can be queued regarding
the same destination?

=item clean_time

(default 1800) Seconds.  How often should the unsent notication 
queue be cleaned of extra entries?

=back

=head1 SEE ALSO

The context for the blacklist detector:
L<SyslogScan::Daemon::BlacklistDetector>

=head1 LICENSE

Copyright (C) 2006, David Muir Sharnoff <muir@idiom.com>

This module may be used and copied on the same terms as Perl
itself.
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)