Mercurial > syslog2iptables
comparison xml/syslog2iptables.in @ 53:d6fb7fca0394 stable-1-0-13
Document multiple contexts
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Sun, 25 Jan 2009 08:37:36 -0800 |
parents | 75361069c6ef |
children | b45dddebe8fc |
comparison
equal
deleted
inserted
replaced
52:fcbc7b7efd14 | 53:d6fb7fca0394 |
---|---|
17 | 17 |
18 </partintro> | 18 </partintro> |
19 | 19 |
20 <refentry id="@PACKAGE@.1"> | 20 <refentry id="@PACKAGE@.1"> |
21 <refentryinfo> | 21 <refentryinfo> |
22 <date>2008-05-29</date> | 22 <date>2009-01-25</date> |
23 </refentryinfo> | 23 </refentryinfo> |
24 | 24 |
25 <refmeta> | 25 <refmeta> |
26 <refentrytitle>@PACKAGE@</refentrytitle> | 26 <refentrytitle>@PACKAGE@</refentrytitle> |
27 <manvolnum>1</manvolnum> | 27 <manvolnum>1</manvolnum> |
157 </refentry> | 157 </refentry> |
158 | 158 |
159 | 159 |
160 <refentry id="@PACKAGE@.conf.5"> | 160 <refentry id="@PACKAGE@.conf.5"> |
161 <refentryinfo> | 161 <refentryinfo> |
162 <date>2008-05-29</date> | 162 <date>2009-01-25</date> |
163 </refentryinfo> | 163 </refentryinfo> |
164 | 164 |
165 <refmeta> | 165 <refmeta> |
166 <refentrytitle>@PACKAGE@.conf</refentrytitle> | 166 <refentrytitle>@PACKAGE@.conf</refentrytitle> |
167 <manvolnum>5</manvolnum> | 167 <manvolnum>5</manvolnum> |
186 specified by this partial bnf description. The entire config file | 186 specified by this partial bnf description. The entire config file |
187 is case sensitive. All the keywords are lower case. | 187 is case sensitive. All the keywords are lower case. |
188 </para> | 188 </para> |
189 | 189 |
190 <literallayout class="monospaced"><![CDATA[ | 190 <literallayout class="monospaced"><![CDATA[ |
191 CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+ | 191 CONFIG = {CONTEXT ";"}+ |
192 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" | 192 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" |
193 ADD-CMD := "add_command" IPT-CMD ";" | 193 STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" |
194 REM-CMD := "remove_command" IPT-CMD ";" | 194 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE |
195 IGNORE := "ignore" "{" IG-SINGLE+ "};" | 195 ADD-CMD := "add_command" IPT-CMD |
196 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" | 196 REM-CMD := "remove_command" IPT-CMD |
197 FILE := "file" FILENAME "{" PATTERN+ "};" | 197 IGNORE := "ignore" "{" IG-SINGLE+ "}" |
198 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS | |
199 FILE := "file" FILENAME "{" PATTERN+ "}" | |
198 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" | 200 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" |
199 INDEX := "index" REGEX-INTEGER-VALUE ";" | 201 INDEX := "index" REGEX-INTEGER-VALUE ";" |
200 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" | 202 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" |
201 MESSAGE := "message" REASON ";" | 203 MESSAGE := "message" REASON ";" |
202 REASON := string to appear in syslog messages | 204 REASON := string to appear in syslog messages |
205 </refsect1> | 207 </refsect1> |
206 | 208 |
207 <refsect1 id='sample.5'> | 209 <refsect1 id='sample.5'> |
208 <title>Sample</title> | 210 <title>Sample</title> |
209 <literallayout class="monospaced"><![CDATA[ | 211 <literallayout class="monospaced"><![CDATA[ |
210 threshold 550; | 212 context dns { |
211 | 213 threshold 1100; |
212 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; | 214 |
213 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | 215 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
214 | 216 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
215 ignore { | 217 |
216 127.0.0.0/8; // localhost | 218 ignore { |
219 127.0.0.0/8; // localhost | |
220 }; | |
221 | |
222 file "/var/log/messages" { | |
223 pattern "named.*client (.*)#.*query.*cache.*denied" { | |
224 index 1; // zero based | |
225 bucket 400; | |
226 message "DNS attack"; | |
227 }; | |
228 }; | |
217 }; | 229 }; |
218 | 230 |
219 file "/var/log/cisco.log" { | 231 |
220 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { | 232 context general { |
221 index 2; // zero based | 233 threshold 550; |
222 bucket 200; | 234 |
223 message "cisco firewall blocked packet"; | 235 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
224 }; | 236 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
225 }; | 237 |
226 | 238 ignore { |
227 file "/var/log/secure" { | 239 127.0.0.0/8; // localhost |
228 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { | 240 }; |
229 index 1; // zero based | 241 |
230 bucket 400; | 242 file "/var/log/secure" { |
231 message "ssh failed password"; | 243 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
232 }; | 244 index 1; // zero based |
233 pattern "sshd.*Failed password .* from (.*) port" { | 245 bucket 400; |
234 index 1; // zero based | 246 message "ssh failed password"; |
235 bucket 400; | 247 }; |
236 message "ssh failed password"; | 248 pattern "sshd.*Failed password .* from (.*) port" { |
237 }; | 249 index 1; // zero based |
238 }; | 250 bucket 400; |
239 | 251 message "ssh failed password"; |
240 file "/var/log/httpd/access_log" { | 252 }; |
241 pattern "(.*) - - .* /cgi-bin" { | 253 pattern "proftpd.*no such user found from (.*) \[" { |
242 index 1; // zero based | 254 index 1; // zero based |
243 bucket 400; | 255 bucket 400; |
244 message "apache cgi-bin reference"; | 256 message "ftp failed password"; |
245 }; | 257 }; |
246 pattern "(.*) - - .*/index2.php" { | 258 }; |
247 index 1; // zero based | 259 |
248 bucket 400; | 260 file "/var/log/messages" { |
249 message "apache index2.php reference"; | 261 pattern "ipop3d.* Login failed .* \[(.*)\]" { |
250 }; | 262 index 1; // zero based |
251 pattern "(.*) - - .*/main.php" { | 263 bucket 400; |
252 index 1; // zero based | 264 message "pop3 failed password"; |
253 bucket 400; | 265 }; |
254 message "apache main.php reference"; | 266 }; |
255 }; | 267 |
256 }; | 268 file "/var/log/httpd/access_log" { |
257 | 269 // of course you cannot use this if you actually use cgi-bin directories |
258 file "/var/log/maillog" { | 270 pattern "(.*) - - .* /cgi-bin" { |
259 pattern "lost input channel from .* \[(.*)\] .* after mail" { | 271 index 1; // zero based |
260 index 1; // zero based | 272 bucket 400; |
261 bucket 200; | 273 message "apache cgi-bin reference"; |
262 message "sendmail spammer dropping connection"; | 274 }; |
263 }; | 275 // or if you actually have an index2.php script |
264 }; | 276 pattern "(.*) - - .*/index2.php" { |
265 | 277 index 1; // zero based |
266 file "/var/log/messages" { | 278 bucket 400; |
267 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { | 279 message "apache index2.php reference"; |
268 index 1; // zero based | 280 }; |
269 bucket 300; | 281 // or if you have a main.php script |
270 message "ssh failed password"; | 282 pattern "(.*) - - .*/main.php" { |
271 }; | 283 index 1; // zero based |
272 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { | 284 bucket 400; |
273 index 1; // zero based | 285 message "apache main.php reference"; |
274 bucket 300; | 286 }; |
275 message "ssh failed password"; | 287 pattern "(.*) - - .*/awstats.pl" { |
288 index 1; // zero based | |
289 bucket 400; | |
290 message "apache awstats.pl reference"; | |
291 }; | |
292 pattern "(.*) - - .*/adxmlrpc" { | |
293 index 1; // zero based | |
294 bucket 400; | |
295 message "apache adxmlrpc reference"; | |
296 }; | |
297 }; | |
298 | |
299 file "/var/log/maillog" { | |
300 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { | |
301 index 1; // zero based | |
302 bucket 200; | |
303 message "sendmail spammer dropping connection"; | |
304 }; | |
305 pattern " \[(.*)\]: possible SMTP attack" { | |
306 index 1; // zero based | |
307 bucket 600; | |
308 message "sendmail authentication attack"; | |
309 }; | |
310 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | |
311 index 1; // zero based | |
312 bucket 200; | |
313 message "sendmail pre-greeting"; | |
314 }; | |
315 pattern "dovecot.*Aborted login.*rip=(.*)," { | |
316 index 1; // zero based | |
317 bucket 100; | |
318 message "dovecot failed password"; | |
319 }; | |
320 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | |
321 index 1; // zero based | |
322 bucket 100; | |
323 message "dovecot failed password"; | |
324 }; | |
325 | |
326 // make sure your upstream MX servers are listed in the | |
327 // ignore block above, otherwise you will kill them off | |
328 // when they try to forward such mail to you. | |
329 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { | |
330 index 1; // zero based | |
331 bucket 200; | |
332 message "sendmail rejected bounce"; | |
333 }; | |
276 }; | 334 }; |
277 };]]></literallayout> | 335 };]]></literallayout> |
278 </refsect1> | 336 </refsect1> |
279 | 337 |
280 <refsect1 id='version.5'> | 338 <refsect1 id='version.5'> |