Mercurial > syslog2iptables

diff xml/syslog2iptables.in @ 35:d2ceebcf6595 stable-1-7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add message description in patterns
author carl
date Tue, 18 Sep 2007 09:54:22 -0700
parents 601bc0e075e1
children 6a2f26976898
line wrap: on
line diff
--- a/xml/syslog2iptables.in	Sun Sep 09 15:46:03 2007 -0700
+++ b/xml/syslog2iptables.in	Tue Sep 18 09:54:22 2007 -0700
@@ -187,9 +187,11 @@
 IGNORE    := "ignore" "{" IG-SINGLE+ "};"
 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
 FILE      := "file" FILENAME "{" PATTERN+ "};"
-PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};"
+PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
 INDEX     := "index" REGEX-INTEGER-VALUE ";"
 BUCKET    := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
+MESSAGE   := "message" REASON ";"
+REASON    := string to appear in syslog messages
 IPT-CMD   := string containing exactly one %s replacement token for
              the ip address]]></literallayout>
         </refsect1>
@@ -210,6 +212,7 @@
     pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
         index 2;    // zero based
         bucket 200;
+        message "cisco firewall blocked packet";
     };
 };
 
@@ -217,10 +220,51 @@
     pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
     };
     pattern "sshd.*Failed password .* from (.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
+    };
+};
+
+file "/var/log/httpd/access_log" {
+    pattern "(.*) - - .* /cgi-bin" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache cgi-bin reference";
+    };
+    pattern "(.*) - - .*/index2.php" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache index2.php reference";
+    };
+    pattern "(.*) - - .*/main.php" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache main.php reference";
+    };
+};
+
+file "/var/log/maillog" {
+    pattern "lost input channel from .* \[(.*)\] .* after mail" {
+        index 1;    // zero based
+        bucket 200;
+        message "sendmail spammer dropping connection";
+    };
+};
+
+file "/var/log/messages" {
+    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
+        index 1;    // zero based
+        bucket 300;
+        message "ssh failed password";
+    };
+    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
+        index 1;    // zero based
+        bucket 300;
+        message "ssh failed password";
     };
 };]]></literallayout>
         </refsect1>