Mercurial > syslog2iptables
diff xml/syslog2iptables.in @ 11:a9b52f657f08
finish coding 1.0 version
| author | carl |
|---|---|
| date | Thu, 15 Dec 2005 16:20:17 -0800 |
| parents | |
| children | c2a2e35a85ac |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/syslog2iptables.in Thu Dec 15 16:20:17 2005 -0800 @@ -0,0 +1,190 @@ +<reference> + <title>@PACKAGE@</title> + <partintro> + <title>Packages</title> + <para>The various source and binary packages are available at <ulink + url="http://www.five-ten-sg.com/syslog2iptables/packages">http://www.five-ten-sg.com/syslog2iptables/packages</ulink> + </para> + <para>The most recent documentation is available at <ulink + url="http://www.five-ten-sg.com/syslog2iptables/">http://www.five-ten-sg.com/syslog2iptables/</ulink> + </para> + </partintro> + + <refentry id="@PACKAGE@.1"> + <refentryinfo> + <date>2005-12-15</date> + </refentryinfo> + + <refmeta> + <refentrytitle>@PACKAGE@</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> + </refmeta> + + <refnamediv id='name.1'> + <refname>@PACKAGE@</refname> + <refpurpose>a simple adaptive firewall</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis.1'> + <title>Synopsis</title> + <cmdsynopsis> + <command>@PACKAGE@</command> + <arg><option>-c</option></arg> + <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description.1'> + <title>Description</title> + <para><command>@PACKAGE@</command> is a simple adaptive firewall. It + maintains the INPUT chain of the <citerefentry> + <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum> + </citerefentry> firewall set based on syslog entries. These syslog + entries are typically generated by your hardware firewall, but they + could come from any source. Any syslog entry that contains a host name + or ip address can be used as input to this package.</para> + + <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> + <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files + to be monitored, and the regular expressions (<citerefentry> + <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum> + </citerefentry>) to be applied to new lines in those files. Each + regular expression needs an index to specify the matching substring that + contains either an ip address or host name, and a bucket count which is + added to the leaky bucket for that ip address when a matching line is + read from that syslog file.</para> + + <para>Each ip address has an associated leaky bucket, which leaks one + token per second. Once the bucket contains more than a configurable + number of tokens, that ip address is added to the INPUT chain with a + DROP target. When the bucket is drained to zero, that ip address is + removed from the INPUT chain.</para> + </refsect1> + + <refsect1 id='options.1'> + <title>Options</title> + <variablelist> + <varlistentry> + <term>-c</term> + <listitem> + <para> + Load the configuration file, print a cannonical form + of the configuration on stdout, and exit. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>-d <replaceable class="parameter">n</replaceable></term> + <listitem> + <para> + Set the debug level to <replaceable class="parameter">n</replaceable>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Usage</title> + <para><command>@PACKAGE@</command> -d 2</para> + </refsect1> + + <refsect1> + <title>Configuration</title> + <para> + The configuration file is documented in <citerefentry> + <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1> + <title>Copyright</title> + <para> + Copyright (C) 2005 by 510 Software Group <carl@five-ten-sg.com> + </para> + <para> + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2, or (at your option) any + later version. + </para> + <para> + You should have received a copy of the GNU General Public License along + with this program; see the file COPYING. If not, please write to the + Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. + </para> + </refsect1> + </refentry> + + + <refentry id="@PACKAGE@.conf.5"> + <refentryinfo> + <date>2005-12-15</date> + </refentryinfo> + + <refmeta> + <refentrytitle>@PACKAGE@.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> + </refmeta> + + <refnamediv id='name.5'> + <refname>@PACKAGE@.conf</refname> + <refpurpose>configuration file for @PACKAGE@</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis.5'> + <title>Synopsis</title> + <cmdsynopsis> + <command>@PACKAGE@.conf</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description.5'> + <title>Description</title> + <para>The <command>@PACKAGE@.conf</command> configuration file is + specified by this partial bnf description.</para> + + <literallayout class="monospaced"><![CDATA[ +CONFIG := THRESHOLD IGNORE {FILE}+ +THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" +IGNORE := "ignore" "{" IG-SINGLE+ "};" +IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" +FILE := "file" FILENAME "{" PATTERN+ "};" +PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};" +INDEX := "index" REGEX-INTEGER-VALUE ";" +BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"]]></literallayout> + </refsect1> + + <refsect1 id='sample.5'> + <title>Sample</title> + <literallayout class="monospaced"><![CDATA[ +threshold 550; + +ignore { + 127.0.0.0/8; // localhost +}; + +file "/var/log/cisco.log" { + pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { + index 2; // zero based + bucket 200; + }; +}; + +file "/var/log/secure" { + pattern "sshd.*Failed password .* from ::ffff:(.*) port" { + index 1; // zero based + bucket 400; + }; + pattern "sshd.*Failed password .* from (.*) port" { + index 1; // zero based + bucket 400; + }; +};]]></literallayout> + </refsect1> + + </refentry> +</reference>