comparison xml/syslog2iptables.in @ 35:d2ceebcf6595 stable-1-7

add message description in patterns
author carl
date Tue, 18 Sep 2007 09:54:22 -0700
parents 601bc0e075e1
children 6a2f26976898
comparison
equal deleted inserted replaced
34:a3fee10284e2 35:d2ceebcf6595
185 ADD-CMD := "add_command" IPT-CMD ";" 185 ADD-CMD := "add_command" IPT-CMD ";"
186 REM-CMD := "remove_command" IPT-CMD ";" 186 REM-CMD := "remove_command" IPT-CMD ";"
187 IGNORE := "ignore" "{" IG-SINGLE+ "};" 187 IGNORE := "ignore" "{" IG-SINGLE+ "};"
188 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" 188 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
189 FILE := "file" FILENAME "{" PATTERN+ "};" 189 FILE := "file" FILENAME "{" PATTERN+ "};"
190 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};" 190 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
191 INDEX := "index" REGEX-INTEGER-VALUE ";" 191 INDEX := "index" REGEX-INTEGER-VALUE ";"
192 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" 192 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
193 MESSAGE := "message" REASON ";"
194 REASON := string to appear in syslog messages
193 IPT-CMD := string containing exactly one %s replacement token for 195 IPT-CMD := string containing exactly one %s replacement token for
194 the ip address]]></literallayout> 196 the ip address]]></literallayout>
195 </refsect1> 197 </refsect1>
196 198
197 <refsect1 id='sample.5'> 199 <refsect1 id='sample.5'>
208 210
209 file "/var/log/cisco.log" { 211 file "/var/log/cisco.log" {
210 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { 212 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
211 index 2; // zero based 213 index 2; // zero based
212 bucket 200; 214 bucket 200;
215 message "cisco firewall blocked packet";
213 }; 216 };
214 }; 217 };
215 218
216 file "/var/log/secure" { 219 file "/var/log/secure" {
217 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { 220 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
218 index 1; // zero based 221 index 1; // zero based
219 bucket 400; 222 bucket 400;
223 message "ssh failed password";
220 }; 224 };
221 pattern "sshd.*Failed password .* from (.*) port" { 225 pattern "sshd.*Failed password .* from (.*) port" {
222 index 1; // zero based 226 index 1; // zero based
223 bucket 400; 227 bucket 400;
228 message "ssh failed password";
229 };
230 };
231
232 file "/var/log/httpd/access_log" {
233 pattern "(.*) - - .* /cgi-bin" {
234 index 1; // zero based
235 bucket 400;
236 message "apache cgi-bin reference";
237 };
238 pattern "(.*) - - .*/index2.php" {
239 index 1; // zero based
240 bucket 400;
241 message "apache index2.php reference";
242 };
243 pattern "(.*) - - .*/main.php" {
244 index 1; // zero based
245 bucket 400;
246 message "apache main.php reference";
247 };
248 };
249
250 file "/var/log/maillog" {
251 pattern "lost input channel from .* \[(.*)\] .* after mail" {
252 index 1; // zero based
253 bucket 200;
254 message "sendmail spammer dropping connection";
255 };
256 };
257
258 file "/var/log/messages" {
259 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
260 index 1; // zero based
261 bucket 300;
262 message "ssh failed password";
263 };
264 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
265 index 1; // zero based
266 bucket 300;
267 message "ssh failed password";
224 }; 268 };
225 };]]></literallayout> 269 };]]></literallayout>
226 </refsect1> 270 </refsect1>
227 271
228 <refsect1 id='version.5'> 272 <refsect1 id='version.5'>