Mercurial > syslog2iptables
diff src/syslogconfig.cpp @ 20:0d65c3de34fd
add better logging
| author | carl |
|---|---|
| date | Sun, 08 Jan 2006 12:36:57 -0800 |
| parents | c2a2e35a85ac |
| children | ec051169fdfd |
line wrap: on
line diff
--- a/src/syslogconfig.cpp Sat Dec 24 06:27:00 2005 -0800 +++ b/src/syslogconfig.cpp Sun Jan 08 12:36:57 2006 -0800 @@ -61,9 +61,10 @@ class IPR { ip_buckets violations; public: - void add(int ip, int amount, CONFIG &con); - void changed(CONFIG &con); + void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index); void leak(int amount, CONFIG &con); + void update(int ip, bool added, char *file_name, int pattern_index); + void changed(CONFIG &con, int ip, bool added); }; IPR recorder; @@ -71,14 +72,18 @@ //////////////////////////////////////////////// // -void IPR::add(int ip, int amount, CONFIG &con) { +void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) { if (con.looking(ip)) { ip_buckets::iterator i = violations.find(ip); if (i == violations.end()) { bucket b; b.count = amount; - b.latch = false; + b.latch = (con.get_threshold() <= b.count); violations[ip] = b; + if (b.latch) { + update(ip, true, file_name, pattern_index); + changed(con, ip, true); + } } else { bucket &b = (*i).second; @@ -88,7 +93,8 @@ b.count += amount; if ((!b.latch) && (c < t) && (t <= b.count)) { b.latch = true; - changed(con); + update(ip, true, file_name, pattern_index); + changed(con, ip, true); } } } @@ -102,7 +108,10 @@ int ip = (*i).first; bucket &b = (*i).second; if (b.count <= amount) { - ch |= b.latch; + if (b.latch) { + update(ip, false, NULL, 0); + ch = true; + } violations.erase(i++); } else { @@ -110,30 +119,50 @@ i++; } } - if (ch) changed(con); + if (ch) changed(con, 0, false); +} + + +void IPR::update(int ip, bool added, char *file_name, int pattern_index) { + if (debug_syslog > 2) { + char buf[maxlen]; + in_addr ad; + ad.s_addr = htonl(ip); + if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); + else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); + my_syslog(buf); + } } -void IPR::changed(CONFIG &con) { +void IPR::changed(CONFIG &con, int ip, bool added) { + int t = con.get_threshold(); char buf[maxlen]; + if (added) { + bucket &b = violations[ip]; + if (con.looking(ip) && (b.count > t)) { + in_addr ad; + ad.s_addr = htonl(ip); + snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); + system(buf); + } + } + else { + // releasing some ip, redo the table snprintf(buf, maxlen, "%s -F INPUT", iptables); - if (debug_syslog > 2) { - my_syslog(" "); - my_syslog(buf); - } system(buf); for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) { int ip = (*i).first; bucket &b = (*i).second; - if (b.count > con.get_threshold()) { + if (con.looking(ip) && (b.count > t)) { in_addr ad; ad.s_addr = htonl(ip); snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); - if (debug_syslog > 2) my_syslog(buf); system(buf); } } } +} //////////////////////////////////////////////// @@ -176,7 +205,7 @@ } -bool PATTERN::process(char *buf, CONFIG &con) { +bool PATTERN::process(char *buf, CONFIG &con, char *file_name, int pattern_index) { if (pattern) { const int nmatch = index+1; regmatch_t match[nmatch]; @@ -190,7 +219,7 @@ buf[e] = '\0'; int ip = ip_address(buf+s); if (ip) { - recorder.add(ip, amount, con); + recorder.add(ip, amount, con, file_name, pattern_index); } return true; } @@ -385,9 +414,11 @@ void SYSLOGCONFIG::process(CONFIG &con) { + int pi=0; for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) { PATTERN *p = *i; - if (p->process(buf, con)) break; + if (p->process(buf, con, file_name, pi)) break; + pi++; } }