Mercurial > syslog2iptables
view xml/syslog2iptables.in @ 11:a9b52f657f08
finish coding 1.0 version
| author | carl |
|---|---|
| date | Thu, 15 Dec 2005 16:20:17 -0800 |
| parents | |
| children | c2a2e35a85ac |
line wrap: on
line source
<reference> <title>@PACKAGE@</title> <partintro> <title>Packages</title> <para>The various source and binary packages are available at <ulink url="http://www.five-ten-sg.com/syslog2iptables/packages">http://www.five-ten-sg.com/syslog2iptables/packages</ulink> </para> <para>The most recent documentation is available at <ulink url="http://www.five-ten-sg.com/syslog2iptables/">http://www.five-ten-sg.com/syslog2iptables/</ulink> </para> </partintro> <refentry id="@PACKAGE@.1"> <refentryinfo> <date>2005-12-15</date> </refentryinfo> <refmeta> <refentrytitle>@PACKAGE@</refentrytitle> <manvolnum>1</manvolnum> <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> </refmeta> <refnamediv id='name.1'> <refname>@PACKAGE@</refname> <refpurpose>a simple adaptive firewall</refpurpose> </refnamediv> <refsynopsisdiv id='synopsis.1'> <title>Synopsis</title> <cmdsynopsis> <command>@PACKAGE@</command> <arg><option>-c</option></arg> <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> </cmdsynopsis> </refsynopsisdiv> <refsect1 id='description.1'> <title>Description</title> <para><command>@PACKAGE@</command> is a simple adaptive firewall. It maintains the INPUT chain of the <citerefentry> <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum> </citerefentry> firewall set based on syslog entries. These syslog entries are typically generated by your hardware firewall, but they could come from any source. Any syslog entry that contains a host name or ip address can be used as input to this package.</para> <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files to be monitored, and the regular expressions (<citerefentry> <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum> </citerefentry>) to be applied to new lines in those files. Each regular expression needs an index to specify the matching substring that contains either an ip address or host name, and a bucket count which is added to the leaky bucket for that ip address when a matching line is read from that syslog file.</para> <para>Each ip address has an associated leaky bucket, which leaks one token per second. Once the bucket contains more than a configurable number of tokens, that ip address is added to the INPUT chain with a DROP target. When the bucket is drained to zero, that ip address is removed from the INPUT chain.</para> </refsect1> <refsect1 id='options.1'> <title>Options</title> <variablelist> <varlistentry> <term>-c</term> <listitem> <para> Load the configuration file, print a cannonical form of the configuration on stdout, and exit. </para> </listitem> </varlistentry> <varlistentry> <term>-d <replaceable class="parameter">n</replaceable></term> <listitem> <para> Set the debug level to <replaceable class="parameter">n</replaceable>. </para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>Usage</title> <para><command>@PACKAGE@</command> -d 2</para> </refsect1> <refsect1> <title>Configuration</title> <para> The configuration file is documented in <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. </para> </refsect1> <refsect1> <title>Copyright</title> <para> Copyright (C) 2005 by 510 Software Group <carl@five-ten-sg.com> </para> <para> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. </para> <para> You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, please write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. </para> </refsect1> </refentry> <refentry id="@PACKAGE@.conf.5"> <refentryinfo> <date>2005-12-15</date> </refentryinfo> <refmeta> <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> </refmeta> <refnamediv id='name.5'> <refname>@PACKAGE@.conf</refname> <refpurpose>configuration file for @PACKAGE@</refpurpose> </refnamediv> <refsynopsisdiv id='synopsis.5'> <title>Synopsis</title> <cmdsynopsis> <command>@PACKAGE@.conf</command> </cmdsynopsis> </refsynopsisdiv> <refsect1 id='description.5'> <title>Description</title> <para>The <command>@PACKAGE@.conf</command> configuration file is specified by this partial bnf description.</para> <literallayout class="monospaced"><![CDATA[ CONFIG := THRESHOLD IGNORE {FILE}+ THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" IGNORE := "ignore" "{" IG-SINGLE+ "};" IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" FILE := "file" FILENAME "{" PATTERN+ "};" PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};" INDEX := "index" REGEX-INTEGER-VALUE ";" BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"]]></literallayout> </refsect1> <refsect1 id='sample.5'> <title>Sample</title> <literallayout class="monospaced"><![CDATA[ threshold 550; ignore { 127.0.0.0/8; // localhost }; file "/var/log/cisco.log" { pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { index 2; // zero based bucket 200; }; }; file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; }; };]]></literallayout> </refsect1> </refentry> </reference>