Mercurial > syslog2iptables

comparison xml/syslog2iptables.in @ 53:d6fb7fca0394 stable-1-0-13

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Document multiple contexts
author Carl Byington <carl@five-ten-sg.com>
date Sun, 25 Jan 2009 08:37:36 -0800
parents 75361069c6ef
children b45dddebe8fc
comparison
equal deleted inserted replaced
52:fcbc7b7efd14 53:d6fb7fca0394
17 17
18 </partintro> 18 </partintro>
19 19
20 <refentry id="@PACKAGE@.1"> 20 <refentry id="@PACKAGE@.1">
21 <refentryinfo> 21 <refentryinfo>
22 <date>2008-05-29</date> 22 <date>2009-01-25</date>
23 </refentryinfo> 23 </refentryinfo>
24 24
25 <refmeta> 25 <refmeta>
26 <refentrytitle>@PACKAGE@</refentrytitle> 26 <refentrytitle>@PACKAGE@</refentrytitle>
27 <manvolnum>1</manvolnum> 27 <manvolnum>1</manvolnum>
157 </refentry> 157 </refentry>
158 158
159 159
160 <refentry id="@PACKAGE@.conf.5"> 160 <refentry id="@PACKAGE@.conf.5">
161 <refentryinfo> 161 <refentryinfo>
162 <date>2008-05-29</date> 162 <date>2009-01-25</date>
163 </refentryinfo> 163 </refentryinfo>
164 164
165 <refmeta> 165 <refmeta>
166 <refentrytitle>@PACKAGE@.conf</refentrytitle> 166 <refentrytitle>@PACKAGE@.conf</refentrytitle>
167 <manvolnum>5</manvolnum> 167 <manvolnum>5</manvolnum>
186 specified by this partial bnf description. The entire config file 186 specified by this partial bnf description. The entire config file
187 is case sensitive. All the keywords are lower case. 187 is case sensitive. All the keywords are lower case.
188 </para> 188 </para>
189 189
190 <literallayout class="monospaced"><![CDATA[ 190 <literallayout class="monospaced"><![CDATA[
191 CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+ 191 CONFIG = {CONTEXT ";"}+
192 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" 192 CONTEXT = "context" NAME "{" {STATEMENT}+ "}"
193 ADD-CMD := "add_command" IPT-CMD ";" 193 STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";"
194 REM-CMD := "remove_command" IPT-CMD ";" 194 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE
195 IGNORE := "ignore" "{" IG-SINGLE+ "};" 195 ADD-CMD := "add_command" IPT-CMD
196 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" 196 REM-CMD := "remove_command" IPT-CMD
197 FILE := "file" FILENAME "{" PATTERN+ "};" 197 IGNORE := "ignore" "{" IG-SINGLE+ "}"
198 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
199 FILE := "file" FILENAME "{" PATTERN+ "}"
198 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" 200 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
199 INDEX := "index" REGEX-INTEGER-VALUE ";" 201 INDEX := "index" REGEX-INTEGER-VALUE ";"
200 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" 202 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
201 MESSAGE := "message" REASON ";" 203 MESSAGE := "message" REASON ";"
202 REASON := string to appear in syslog messages 204 REASON := string to appear in syslog messages
205 </refsect1> 207 </refsect1>
206 208
207 <refsect1 id='sample.5'> 209 <refsect1 id='sample.5'>
208 <title>Sample</title> 210 <title>Sample</title>
209 <literallayout class="monospaced"><![CDATA[ 211 <literallayout class="monospaced"><![CDATA[
210 threshold 550; 212 context dns {
211 213 threshold 1100;
212 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; 214
213 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; 215 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
214 216 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
215 ignore { 217
216 127.0.0.0/8; // localhost 218 ignore {
219 127.0.0.0/8; // localhost
220 };
221
222 file "/var/log/messages" {
223 pattern "named.*client (.*)#.*query.*cache.*denied" {
224 index 1; // zero based
225 bucket 400;
226 message "DNS attack";
227 };
228 };
217 }; 229 };
218 230
219 file "/var/log/cisco.log" { 231
220 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { 232 context general {
221 index 2; // zero based 233 threshold 550;
222 bucket 200; 234
223 message "cisco firewall blocked packet"; 235 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
224 }; 236 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
225 }; 237
226 238 ignore {
227 file "/var/log/secure" { 239 127.0.0.0/8; // localhost
228 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { 240 };
229 index 1; // zero based 241
230 bucket 400; 242 file "/var/log/secure" {
231 message "ssh failed password"; 243 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
232 }; 244 index 1; // zero based
233 pattern "sshd.*Failed password .* from (.*) port" { 245 bucket 400;
234 index 1; // zero based 246 message "ssh failed password";
235 bucket 400; 247 };
236 message "ssh failed password"; 248 pattern "sshd.*Failed password .* from (.*) port" {
237 }; 249 index 1; // zero based
238 }; 250 bucket 400;
239 251 message "ssh failed password";
240 file "/var/log/httpd/access_log" { 252 };
241 pattern "(.*) - - .* /cgi-bin" { 253 pattern "proftpd.*no such user found from (.*) \[" {
242 index 1; // zero based 254 index 1; // zero based
243 bucket 400; 255 bucket 400;
244 message "apache cgi-bin reference"; 256 message "ftp failed password";
245 }; 257 };
246 pattern "(.*) - - .*/index2.php" { 258 };
247 index 1; // zero based 259
248 bucket 400; 260 file "/var/log/messages" {
249 message "apache index2.php reference"; 261 pattern "ipop3d.* Login failed .* \[(.*)\]" {
250 }; 262 index 1; // zero based
251 pattern "(.*) - - .*/main.php" { 263 bucket 400;
252 index 1; // zero based 264 message "pop3 failed password";
253 bucket 400; 265 };
254 message "apache main.php reference"; 266 };
255 }; 267
256 }; 268 file "/var/log/httpd/access_log" {
257 269 // of course you cannot use this if you actually use cgi-bin directories
258 file "/var/log/maillog" { 270 pattern "(.*) - - .* /cgi-bin" {
259 pattern "lost input channel from .* \[(.*)\] .* after mail" { 271 index 1; // zero based
260 index 1; // zero based 272 bucket 400;
261 bucket 200; 273 message "apache cgi-bin reference";
262 message "sendmail spammer dropping connection"; 274 };
263 }; 275 // or if you actually have an index2.php script
264 }; 276 pattern "(.*) - - .*/index2.php" {
265 277 index 1; // zero based
266 file "/var/log/messages" { 278 bucket 400;
267 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { 279 message "apache index2.php reference";
268 index 1; // zero based 280 };
269 bucket 300; 281 // or if you have a main.php script
270 message "ssh failed password"; 282 pattern "(.*) - - .*/main.php" {
271 }; 283 index 1; // zero based
272 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { 284 bucket 400;
273 index 1; // zero based 285 message "apache main.php reference";
274 bucket 300; 286 };
275 message "ssh failed password"; 287 pattern "(.*) - - .*/awstats.pl" {
288 index 1; // zero based
289 bucket 400;
290 message "apache awstats.pl reference";
291 };
292 pattern "(.*) - - .*/adxmlrpc" {
293 index 1; // zero based
294 bucket 400;
295 message "apache adxmlrpc reference";
296 };
297 };
298
299 file "/var/log/maillog" {
300 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
301 index 1; // zero based
302 bucket 200;
303 message "sendmail spammer dropping connection";
304 };
305 pattern " \[(.*)\]: possible SMTP attack" {
306 index 1; // zero based
307 bucket 600;
308 message "sendmail authentication attack";
309 };
310 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
311 index 1; // zero based
312 bucket 200;
313 message "sendmail pre-greeting";
314 };
315 pattern "dovecot.*Aborted login.*rip=(.*)," {
316 index 1; // zero based
317 bucket 100;
318 message "dovecot failed password";
319 };
320 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
321 index 1; // zero based
322 bucket 100;
323 message "dovecot failed password";
324 };
325
326 // make sure your upstream MX servers are listed in the
327 // ignore block above, otherwise you will kill them off
328 // when they try to forward such mail to you.
329 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
330 index 1; // zero based
331 bucket 200;
332 message "sendmail rejected bounce";
333 };
276 }; 334 };
277 };]]></literallayout> 335 };]]></literallayout>
278 </refsect1> 336 </refsect1>
279 337
280 <refsect1 id='version.5'> 338 <refsect1 id='version.5'>