annotate syslog2iptables.conf @ 35:d2ceebcf6595 stable-1-7

add message description in patterns
author carl
date Tue, 18 Sep 2007 09:54:22 -0700
parents 28fec0c67646
children d9ae11033b4b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
1 threshold 550;
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
2
27
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
3 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
4 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
5
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
6 ignore {
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
7 127.0.0.0/8; // localhost
1
551433a01cab initial coding
carl
parents:
diff changeset
8 };
551433a01cab initial coding
carl
parents:
diff changeset
9
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
10 // file "/var/log/cisco.log" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
11 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
12 // index 2; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
13 // bucket 200;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
14 // message "cisco firewall blocked packet";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
15 // };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
16 // };
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
17
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
18 file "/var/log/secure" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
19 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
20 index 1; // zero based
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
21 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
22 message "ssh failed password";
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
23 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
24 pattern "sshd.*Failed password .* from (.*) port" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
25 index 1; // zero based
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
26 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
27 message "ssh failed password";
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
28 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
29 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
30
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
31 file "/var/log/httpd/access_log" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
32 pattern "(.*) - - .* /cgi-bin" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
33 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
34 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
35 message "apache cgi-bin reference";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
36 };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
37 pattern "(.*) - - .*/index2.php" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
38 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
39 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
40 message "apache index2.php reference";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
41 };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
42 pattern "(.*) - - .*/main.php" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
43 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
44 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
45 message "apache main.php reference";
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
46 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
47 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
48
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
49 file "/var/log/maillog" {
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
50 pattern "lost input channel from .* \[(.*)\] .* after mail" {
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
51 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
52 bucket 200;
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
53 message "sendmail spammer dropping connection";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
54 };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
55 };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
56
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
57 // file "/var/log/messages" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
58 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
59 // index 1; // zero based
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
60 // bucket 300;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
61 // message "ssh failed password";
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
62 // };
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
63 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
64 // index 1; // zero based
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
65 // bucket 300;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
66 // message "ssh failed password";
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
67 // };
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
68 // };