# HG changeset patch
# User Carl Byington <carl@five-ten-sg.com>
# Date 1232901456 28800
# Node ID d6fb7fca0394954aa4adce3ed4b77f1a605d8397
# Parent  fcbc7b7efd14c6fb37d8404f5fb996028ad07545
Document multiple contexts

diff -r fcbc7b7efd14 -r d6fb7fca0394 ChangeLog
--- a/ChangeLog	Sat Jan 24 17:42:53 2009 -0800
+++ b/ChangeLog	Sun Jan 25 08:37:36 2009 -0800
@@ -1,3 +1,6 @@
+1.13 2009-01-25
+     Document multiple contexts.
+
 1.12 2009-01-24
      Allow multiple contexts with independent add/remove commands.
 
diff -r fcbc7b7efd14 -r d6fb7fca0394 NEWS
--- a/NEWS	Sat Jan 24 17:42:53 2009 -0800
+++ b/NEWS	Sun Jan 25 08:37:36 2009 -0800
@@ -1,3 +1,4 @@
+1.13 2009-01-25 Document multiple contexts.
 1.12 2009-01-24 Allow multiple contexts with independent add/remove commands.
 1.11 2008-05-29 Fixes to compile on Fedora 9 and for const correctness.
 1.10 2008-03-22 Add fixes for Solaris from sm-archive.
diff -r fcbc7b7efd14 -r d6fb7fca0394 configure.in
--- a/configure.in	Sat Jan 24 17:42:53 2009 -0800
+++ b/configure.in	Sun Jan 25 08:37:36 2009 -0800
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(syslog2iptables,1.12,carl@five-ten-sg.com)
+AC_INIT(syslog2iptables,1.13,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 
diff -r fcbc7b7efd14 -r d6fb7fca0394 syslog2iptables.conf
--- a/syslog2iptables.conf	Sat Jan 24 17:42:53 2009 -0800
+++ b/syslog2iptables.conf	Sun Jan 25 08:37:36 2009 -0800
@@ -28,14 +28,6 @@
         127.0.0.0/8;        // localhost
     };
 
-    //  file "/var/log/cisco.log" {
-    //      pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
-    //          index 2;    // zero based
-    //          bucket 200;
-    //          message "cisco firewall blocked packet";
-    //      };
-    //  };
-
     file "/var/log/secure" {
         pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
             index 1;    // zero based
@@ -129,18 +121,5 @@
             message "sendmail rejected bounce";
         };
     };
-
-    //  file "/var/log/messages" {
-    //      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
-    //          index 1;    // zero based
-    //          bucket 300;
-    //          message "ssh failed password";
-    //      };
-    //      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
-    //          index 1;    // zero based
-    //          bucket 300;
-    //          message "ssh failed password";
-    //      };
-    //  };
 };
 
diff -r fcbc7b7efd14 -r d6fb7fca0394 syslog2iptables.spec.in
--- a/syslog2iptables.spec.in	Sat Jan 24 17:42:53 2009 -0800
+++ b/syslog2iptables.spec.in	Sun Jan 25 08:37:36 2009 -0800
@@ -69,6 +69,9 @@
 
 
 %changelog
+* Sun Jan 25 2009 Carl Byington <carl@five-ten-sg.com> - 1.13-1
+- Document multiple contexts.
+
 * Sat Jan 24 2009 Carl Byington <carl@five-ten-sg.com> - 1.12-1
 - Allow multiple contexts with independent add/remove commands.
 
diff -r fcbc7b7efd14 -r d6fb7fca0394 xml/syslog2iptables.in
--- a/xml/syslog2iptables.in	Sat Jan 24 17:42:53 2009 -0800
+++ b/xml/syslog2iptables.in	Sun Jan 25 08:37:36 2009 -0800
@@ -19,7 +19,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2008-05-29</date>
+            <date>2009-01-25</date>
         </refentryinfo>
 
         <refmeta>
@@ -159,7 +159,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2008-05-29</date>
+            <date>2009-01-25</date>
         </refentryinfo>
 
         <refmeta>
@@ -188,13 +188,15 @@
             </para>
 
             <literallayout class="monospaced"><![CDATA[
-CONFIG    := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+
-THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";"
-ADD-CMD   := "add_command" IPT-CMD ";"
-REM-CMD   := "remove_command" IPT-CMD ";"
-IGNORE    := "ignore" "{" IG-SINGLE+ "};"
-IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
-FILE      := "file" FILENAME "{" PATTERN+ "};"
+CONFIG     = {CONTEXT ";"}+
+CONTEXT    = "context" NAME "{" {STATEMENT}+ "}"
+STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";"
+THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE
+ADD-CMD   := "add_command" IPT-CMD
+REM-CMD   := "remove_command" IPT-CMD
+IGNORE    := "ignore" "{" IG-SINGLE+ "}"
+IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
+FILE      := "file" FILENAME "{" PATTERN+ "}"
 PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
 INDEX     := "index" REGEX-INTEGER-VALUE ";"
 BUCKET    := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
@@ -207,6 +209,27 @@
         <refsect1 id='sample.5'>
             <title>Sample</title>
             <literallayout class="monospaced"><![CDATA[
+context dns {
+    threshold 1100;
+
+    add_command    "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
+    remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
+
+    ignore {
+        127.0.0.0/8;        // localhost
+    };
+
+    file "/var/log/messages" {
+        pattern "named.*client (.*)#.*query.*cache.*denied" {
+            index 1;    // zero based
+            bucket 400;
+            message "DNS attack";
+        };
+    };
+};
+
+
+context general {
 threshold 550;
 
 add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
@@ -216,14 +239,6 @@
     127.0.0.0/8;        // localhost
 };
 
-file "/var/log/cisco.log" {
-    pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
-        index 2;    // zero based
-        bucket 200;
-        message "cisco firewall blocked packet";
-    };
-};
-
 file "/var/log/secure" {
     pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
         index 1;    // zero based
@@ -235,44 +250,87 @@
         bucket 400;
         message "ssh failed password";
     };
+        pattern "proftpd.*no such user found from (.*) \[" {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+    };
+
+    file "/var/log/messages" {
+        pattern "ipop3d.* Login failed .* \[(.*)\]" {
+            index 1;    // zero based
+            bucket 400;
+            message "pop3 failed password";
+        };
 };
 
 file "/var/log/httpd/access_log" {
+        // of course you cannot use this if you actually use cgi-bin directories
     pattern "(.*) - - .* /cgi-bin" {
         index 1;    // zero based
         bucket 400;
         message "apache cgi-bin reference";
     };
+        // or if you actually have an index2.php script
     pattern "(.*) - - .*/index2.php" {
         index 1;    // zero based
         bucket 400;
         message "apache index2.php reference";
     };
+        // or if you have a main.php script
     pattern "(.*) - - .*/main.php" {
         index 1;    // zero based
         bucket 400;
         message "apache main.php reference";
     };
+        pattern "(.*) - - .*/awstats.pl" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache awstats.pl reference";
+        };
+        pattern "(.*) - - .*/adxmlrpc" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache adxmlrpc reference";
+        };
 };
 
 file "/var/log/maillog" {
-    pattern "lost input channel from .* \[(.*)\] .* after mail" {
+        pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
         index 1;    // zero based
         bucket 200;
         message "sendmail spammer dropping connection";
     };
+        pattern " \[(.*)\]: possible SMTP attack" {
+            index 1;    // zero based
+            bucket 600;
+            message "sendmail authentication attack";
+        };
+        pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
+            index 1;    // zero based
+            bucket 200;
+            message "sendmail pre-greeting";
+        };
+        pattern "dovecot.*Aborted login.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+        pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
 };
 
-file "/var/log/messages" {
-    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
+        // make sure your upstream MX servers are listed in the
+        // ignore block above, otherwise you will kill them off
+        // when they try to forward such mail to you.
+        pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
         index 1;    // zero based
-        bucket 300;
-        message "ssh failed password";
+            bucket 200;
+            message "sendmail rejected bounce";
     };
-    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
-        index 1;    // zero based
-        bucket 300;
-        message "ssh failed password";
     };
 };]]></literallayout>
         </refsect1>