syslog2iptables: xml/syslog2iptables.in annotate

annotate xml/syslog2iptables.in @ 42:d9ae11033b4b stable-1-9

Add default config to firewall systems that send bounces to non-existant accounts. Switch to Mercurial source control. Update spec file for fedora packaging.

author	Carl Byington <carl@five-ten-sg.com>
date	Fri, 21 Mar 2008 14:02:32 -0700
parents	6a2f26976898
children	9e9f09cf411c

rev	line source
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	1 <reference>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	2 <title>@PACKAGE@</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	3 <partintro>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	4 <title>Packages</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	5 <para>The various source and binary packages are available at <ulink
19 13b2e663b553 add trailing / on http package directory reference carl parents: 16 diff changeset	6 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>
12 c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	7 The most recent documentation is available at <ulink
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	8 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	9 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	10 </partintro>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	11
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	12 <refentry id="@PACKAGE@.1">
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	13 <refentryinfo>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	14 <date>2008-03-21</date>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	15 </refentryinfo>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	16
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	17 <refmeta>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	18 <refentrytitle>@PACKAGE@</refentrytitle>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	19 <manvolnum>1</manvolnum>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	20 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	21 </refmeta>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	22
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	23 <refnamediv id='name.1'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	24 <refname>@PACKAGE@</refname>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	25 <refpurpose>a simple adaptive firewall</refpurpose>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	26 </refnamediv>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	27
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	28 <refsynopsisdiv id='synopsis.1'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	29 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	30 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	31 <command>@PACKAGE@</command>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	32 <arg><option>-c</option></arg>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	33 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	34 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	35 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	36
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	37 <refsect1 id='description.1'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	38 <title>Description</title>
12 c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	39
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	40 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	41 maintains the INPUT chain of the <citerefentry>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	42 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	43 </citerefentry> firewall set based on syslog entries. These syslog
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	44 entries are typically generated by your hardware firewall, but they
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	45 could come from any source. Any syslog entry that contains a host name
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	46 or ip address can be used as input to this package.</para>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	47
12 c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	48 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	49 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	50 to be monitored, and the regular expressions (<citerefentry>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	51 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	52 </citerefentry>) to be applied to new lines in those files. Each
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	53 regular expression needs an index to specify the matching substring that
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	54 contains either an ip address or host name, and a bucket count which is
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	55 added to the leaky bucket for that ip address when a matching line is
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	56 read from that syslog file.</para>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	57
12 c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	58 <para>Each ip address has an associated leaky bucket, which leaks one
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	59 token per second. Once the bucket contains more than a configurable
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	60 threshold number of tokens, that ip address is added to the INPUT chain
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	61 with a DROP target. When the bucket is drained to zero, that ip address
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	62 is removed from the INPUT chain.</para>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	63
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	64 <para>The discussion has focused on syslog files, but any ascii text
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	65 file can be used, so long as some other process appends lines to that
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	66 file, and those lines containing hostname or ip addresses can be matched
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	67 with some regular expression.</para>
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	68
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	69 <para>Considering syslog files in particular, these are normally rotated
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	70 via logrotate. <command>@PACKAGE@</command> properly detects and
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	71 handles this case by closing the old file, and reopening the newly
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	72 created file.</para>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	73 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	74
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	75 <refsect1 id='options.1'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	76 <title>Options</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	77 <variablelist>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	78 <varlistentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	79 <term>-c</term>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	80 <listitem>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	81 <para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	82 Load the configuration file, print a cannonical form
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	83 of the configuration on stdout, and exit.
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	84 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	85 </listitem>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	86 </varlistentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	87 <varlistentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	88 <term>-d <replaceable class="parameter">n</replaceable></term>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	89 <listitem>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	90 <para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	91 Set the debug level to <replaceable class="parameter">n</replaceable>.
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	92 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	93 </listitem>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	94 </varlistentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	95 </variablelist>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	96 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	97
16 ae2767aabdbc add id strings to all ref sections carl parents: 14 diff changeset	98 <refsect1 id='usage.1'>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	99 <title>Usage</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	100 <para><command>@PACKAGE@</command> -d 2</para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	101 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	102
16 ae2767aabdbc add id strings to all ref sections carl parents: 14 diff changeset	103 <refsect1 id='configuration.1'>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	104 <title>Configuration</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	105 <para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	106 The configuration file is documented in <citerefentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	107 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
12 c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	108 </citerefentry>. Any change to the config file will cause it to be
c2a2e35a85ac final documentation, rpm builds properly carl parents: 11 diff changeset	109 reloaded within three minutes.
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	110 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	111 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	112
24 ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	113 <refsect1 id='todo.1'>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	114 <title>TODO</title>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	115 <para>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	116 The following ideas are under consideration.
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	117 </para>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	118 <para>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	119 Add a configuration option for the iptables table name in the
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	120 pattern statement. This implies handling multiple tables, so each
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	121 table needs its own map of ip addresses and bucket values.
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	122 </para>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	123 </refsect1>
ec051169fdfd don't flush input chain, use -D option instead carl parents: 19 diff changeset	124
16 ae2767aabdbc add id strings to all ref sections carl parents: 14 diff changeset	125 <refsect1 id='copyright.1'>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	126 <title>Copyright</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	127 <para>
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	128 Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	129 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	130 <para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	131 This program is free software; you can redistribute it and/or modify it
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	132 under the terms of the GNU General Public License as published by the
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	133 Free Software Foundation; either version 3, or (at your option) any
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	134 later version.
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	135 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	136 <para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	137 You should have received a copy of the GNU General Public License along
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	138 with this program; see the file COPYING. If not, please write to the
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	139 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	140 </para>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	141 </refsect1>
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	142
601bc0e075e1 gpl3 carl parents: 30 diff changeset	143 <refsect1 id='version.1'>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	144 <title>Version</title>
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	145 <para>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	146 @VERSION@
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	147 </para>
601bc0e075e1 gpl3 carl parents: 30 diff changeset	148 </refsect1>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	149 </refentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	150
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	151
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	152 <refentry id="@PACKAGE@.conf.5">
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	153 <refentryinfo>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	154 <date>2008-03-21</date>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	155 </refentryinfo>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	156
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	157 <refmeta>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	158 <refentrytitle>@PACKAGE@.conf</refentrytitle>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	159 <manvolnum>5</manvolnum>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	160 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	161 </refmeta>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	162
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	163 <refnamediv id='name.5'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	164 <refname>@PACKAGE@.conf</refname>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	165 <refpurpose>configuration file for @PACKAGE@</refpurpose>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	166 </refnamediv>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	167
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	168 <refsynopsisdiv id='synopsis.5'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	169 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	170 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	171 <command>@PACKAGE@.conf</command>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	172 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	173 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	174
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	175 <refsect1 id='description.5'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	176 <title>Description</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	177 <para>The <command>@PACKAGE@.conf</command> configuration file is
27 28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	178 specified by this partial bnf description. The entire config file
28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	179 is case sensitive. All the keywords are lower case.
28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	180 </para>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	181
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	182 <literallayout class="monospaced"><![CDATA[
27 28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	183 CONFIG := {THRESHOLD \| ADD-CMD \| REM-CMD \| IGNORE \| FILE}+
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	184 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";"
27 28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	185 ADD-CMD := "add_command" IPT-CMD ";"
28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	186 REM-CMD := "remove_command" IPT-CMD ";"
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	187 IGNORE := "ignore" "{" IG-SINGLE+ "};"
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	188 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	189 FILE := "file" FILENAME "{" PATTERN+ "};"
35 d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	190 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX \| BUCKET \| MESSAGE}+ "};"
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	191 INDEX := "index" REGEX-INTEGER-VALUE ";"
29 e16a5fb390fa make add/remove commands configureable carl parents: 27 diff changeset	192 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
35 d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	193 MESSAGE := "message" REASON ";"
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	194 REASON := string to appear in syslog messages
27 28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	195 IPT-CMD := string containing exactly one %s replacement token for
29 e16a5fb390fa make add/remove commands configureable carl parents: 27 diff changeset	196 the ip address]]></literallayout>
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	197 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	198
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	199 <refsect1 id='sample.5'>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	200 <title>Sample</title>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	201 <literallayout class="monospaced"><![CDATA[
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	202 threshold 550;
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	203
27 28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	204 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	205 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable carl parents: 24 diff changeset	206
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	207 ignore {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	208 127.0.0.0/8; // localhost
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	209 };
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	210
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	211 file "/var/log/cisco.log" {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	212 pattern "Internet_Firewall denied (tcp\|udp) ([^(]*)" {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	213 index 2; // zero based
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	214 bucket 200;
35 d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	215 message "cisco firewall blocked packet";
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	216 };
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	217 };
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	218
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	219 file "/var/log/secure" {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	220 pattern "sshd.Failed password . from ::ffff:(.*) port" {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	221 index 1; // zero based
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	222 bucket 400;
35 d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	223 message "ssh failed password";
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	224 };
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	225 pattern "sshd.Failed password . from (.*) port" {
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	226 index 1; // zero based
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	227 bucket 400;
35 d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	228 message "ssh failed password";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	229 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	230 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	231
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	232 file "/var/log/httpd/access_log" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	233 pattern "(.) - - . /cgi-bin" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	234 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	235 bucket 400;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	236 message "apache cgi-bin reference";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	237 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	238 pattern "(.) - - ./index2.php" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	239 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	240 bucket 400;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	241 message "apache index2.php reference";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	242 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	243 pattern "(.) - - ./main.php" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	244 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	245 bucket 400;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	246 message "apache main.php reference";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	247 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	248 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	249
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	250 file "/var/log/maillog" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	251 pattern "lost input channel from .* \[(.)\] . after mail" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	252 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	253 bucket 200;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	254 message "sendmail spammer dropping connection";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	255 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	256 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	257
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	258 file "/var/log/messages" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	259 pattern "sshd.pam_unix.authentication failure.rhost=(.*) user=" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	260 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	261 bucket 300;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	262 message "ssh failed password";
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	263 };
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	264 pattern "sshd.pam_unix.authentication failure.rhost=(.*)$" {
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	265 index 1; // zero based
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	266 bucket 300;
d2ceebcf6595 add message description in patterns carl parents: 31 diff changeset	267 message "ssh failed password";
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	268 };
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	269 };]]></literallayout>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	270 </refsect1>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	271
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	272 <refsect1 id='version.5'>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	273 <title>Version</title>
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	274 <para>
42 d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts. Carl Byington <carl@five-ten-sg.com> parents: 36 diff changeset	275 @VERSION@
31 601bc0e075e1 gpl3 carl parents: 30 diff changeset	276 </para>
601bc0e075e1 gpl3 carl parents: 30 diff changeset	277 </refsect1>
601bc0e075e1 gpl3 carl parents: 30 diff changeset	278
11 a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	279 </refentry>
a9b52f657f08 finish coding 1.0 version carl parents: diff changeset	280 </reference>

Mercurial > syslog2iptables

annotate xml/syslog2iptables.in @ 42:d9ae11033b4b stable-1-9