small edits to x-arf.txt

Post Reply
marty
Junior Member
Posts: 26
Joined: 08 Feb 2009, 12:23
Location: about 15 miles SE of Chirpy ;)

small edits to x-arf.txt

Post by marty »

Chirpy, thanks for implementing X-ARF, though as it is not yet a standard, and is therefore more likely to be read by humans than machines for now, may I suggest the following minor changes to the default x-arf.txt ?
From: root
To: root
Auto-Submitted: auto-generated
X-ARF: YES
Content-Type: multipart/mixed;
boundary="csf-[boundary]"
MIME-Version: 1.0
Subject: abuse report about [ip] - [RFC3339]

This is a multi-part message in MIME format.
--csf-[boundary]
Content-Transfer-Encoding: 7bit
Content-Type:text/plain; charset=utf-8

Greetings Abuse Department,

Please be advised that your host at IP address [tip] was found attacking [service] on [hostname] [ipcount] times in the last [iptick] seconds and has been blocked from [hostname].

Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.

I hope that this report is useful to you.

Best Regards,
SysAdmin
[hostname]


--csf-[boundary]
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="report.txt"
Content-Type: text/plain; charset=utf8; name="report.txt";

Reported-From: [reportedfrom]
Report-ID: [reportedid]
Category: abuse
Report-Type: login-attack
Service: [service]
User-Agent: csf v[csfversion]
Date: [RFC3339]
Source: [ip]
Source-Type: [iptype]
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login ... 0.1.0.json

--csf-[boundary]
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="logfile.log"
Content-Type: text/plain; charset=utf8; name="logfile.log";

[text]

--csf-[boundary]--
fail2ban
Junior Member
Posts: 3
Joined: 11 Apr 2010, 09:25
Contact:

Post by fail2ban »

Hi marty,

X-ARF is not standard yet. But it is better for automatically handling Reports :-)

We have add more tools to parse the Reports on x-arf.org/tools.html
Also you can check your own Reports with the Online Validator x-arf.org/validator.html
marty
Junior Member
Posts: 26
Joined: 08 Feb 2009, 12:23
Location: about 15 miles SE of Chirpy ;)

Re:

Post by marty »

fail2ban wrote:Hi marty,

X-ARF is not standard yet. But it is better for automatically handling Reports :-)

We have add more tools to parse the Reports on x-arf.org/tools.html
Also you can check your own Reports with the Online Validator x-arf.org/validator.html
Hi fail2ban :) (is that Tobias?)

Thank you for your reply. I agree that x-arf is good technically, but unless we can get the major ISP's to endorse it then I fear it will be practically of no use :(

I did try sending some x-arf reports to various ISP's and they were all either ignored (~10%) , replied to by humans (~70%), or rejected by supposedly automated systems! (~20%).

Hence my interim suggestion to make the report more "human friendly".

Keep in touch!
Good luck with the project,
Marty
Post Reply