| Prev | Next |
"command" is the system command to be executed when the rule triggers. This function is used to the notice with E-mail, the automatic response to a worm, etc. If the value of this field is "none", nothing is performed.
There are following special words that you can use in this field. When a command is executed, these words are replaced.
%id
%revision
%name
%addr
%port
%logId
%logDir
"%id" will be replaced to the id of the rule.
"%revision" will be replaced to the revision of the rule.
"%name" will be replaced to the name of the rule.
"%addr" will be replaced to the IP address of the client.
"%port" will be replaced to the port of the client.
"%logId" will be replaced to the id of the log.
"%logDir" will be replaced to the value of the "sessionLogDirName" field of the "control" file.
Here is an example. We create a shell script file and save it as "/usr/local/bin/notifyAlert". The content of the file is as follows.
#!/bin/sh
myAddr=anvil@jumperz.net
/usr/bin/hexdump $1/$2/$3_req | /bin/mail -s $4 $myAddr
Then create a rule like this.
<rule>
id=GID4
revision=1
name=NopSled(requestLine)
type=requestLine
pattern=\x90{4,}
condition=match
case_sensitive=no
log=yes
action=block
command=/usr/local/bin/notifyAlert %logDir %addr %logId %name
</rule>
Because the value of the "log" field is "yes", the HTTP request will be saved when the rule triggers. And the system command "/usr/local/bin/notifyAlert %logDir %addr %logId %name" will be executed. The alert and the hexdump of the HTTP request will be notified to admin via e-mail.