~/abuse-report-howto.txt.html

Abuse Report HOWTO (abusereport.pl)

Ok, abusereport.pl is located in the 'bin' directory under the scc home
directory.

> su scc (or log as the user scc to skip this step)
> cd ~/bin

Now, to get an idea of what files are currently in that directory, simply

> ls

It should output some of these files
  abusereport.pl
  nimda_template
  spida_template
  abuse_list

To send out abuse reports, you need to create a file that will let the
abusereport.pl script know what to send off.  So use your favorite
text editor (pico or vim, up to you) and create (or modify) 'abuse_list',
and insert the proper contents.

> pico abuse_list

The format for the contents of the abuse_list file is:
  xxx.xxx.xxx.xxx, abuser@some-email.com, sensor_name

 o xxx.xxx.xxx.xxx is obviously the IP address.
 o abuser@some-email.com is the email you most likely found at arin
   or wherever that's causing the abuse.
 o sensor_name, well you know this..or at least better.  note though, you
   do not _have_ to have a sensor name.  all this does is looks up the
   email address for the sensor name and sends a bcc to it.  If you choose
   not to have a sensor_name then do NOT put a trailing comma at the end

All I have to say is, please be careful with your syntax in the abuse_list file.
Perhaps I'll get around sometime and write something that will parse it so that
it checks for syntax errors.

Okay, now that you have your abuse_list set up, you need to run the program
that will send off the emails.  Simply run abusereport.pl without any
parameters and it will output how to use it.  But, to give you a brief idea
how it works, it simply requires 3 parameters (template file name, date,
abuse_list file name).

An example on how to send abuse reports for Nimda infections would be:
> ./abusereport.pl -t nimbda_template -l abuse_list -d 2002-05-28

An example on how to send an abuse report for Spida worms would be:
> ./abusereport.pl -t spida_template -l abuse_list -d 2002-05-28

Easy eh?  However, It is KEY that you use that format for dates (it is
a single string).

--------------------------------------------------------------------------

Phil version (v 1.0)

Log into Miniathens as SCC and enter the password.
cd bin
pico abuse_list (or any file name you want)
attacking IP,attacker@e-mail.com,sensor-name
control X
Y for yes
./abusereport.pl -t nimda_template -l abuse_list -d yyyy-mm-dd
-t (or whatever templaye you choose) -l (to whatever file you choose)
   -d yyyy-mm-dd