changeset 20:0d65c3de34fd

add better logging
author carl
date Sun, 08 Jan 2006 12:36:57 -0800
parents 13b2e663b553
children 2342081106d9
files ChangeLog configure.in libtool remote src/syslog2iptables.cpp src/syslogconfig.cpp src/syslogconfig.h syslog2iptables.conf syslog2iptables.rc
diffstat 9 files changed, 115 insertions(+), 48 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Sat Dec 24 06:27:00 2005 -0800
+++ b/ChangeLog	Sun Jan 08 12:36:57 2006 -0800
@@ -1,5 +1,8 @@
     $Id$
 
+1.1 2006-01-08
+    Add syslog entries when new ip addresses are blocked or released.
+
 1.0 2005-12-17
     Initial release.
 
--- a/configure.in	Sat Dec 24 06:27:00 2005 -0800
+++ b/configure.in	Sun Jan 08 12:36:57 2006 -0800
@@ -1,7 +1,7 @@
 AC_INIT(configure.in)
 
 AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(syslog2iptables,1.0)
+AM_INIT_AUTOMAKE(syslog2iptables,1.1)
 AC_PATH_PROGS(BASH, bash)
 
 AC_LANG_CPLUSPLUS
--- a/libtool	Sat Dec 24 06:27:00 2005 -0800
+++ b/libtool	Sun Jan 08 12:36:57 2006 -0800
@@ -1,7 +1,7 @@
 #! /bin/sh
 
 # libtoolT - Provide generalized library-building support services.
-# Generated automatically by  (GNU syslog2iptables 1.0)
+# Generated automatically by  (GNU syslog2iptables 1.1)
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
--- a/remote	Sat Dec 24 06:27:00 2005 -0800
+++ b/remote	Sun Jan 08 12:36:57 2006 -0800
@@ -8,20 +8,27 @@
     ssh $a "$b"
 }
 
-n=syslog2iptables
-v=0.1
-t='ams ns1'
-t='mbmg'
+T=`grep AM_INIT_AUTOMAKE configure.in | cut -d'(' -f2`
+NAME=`echo $T | cut -d, -f1`
+VER=`echo $T | cut -d, -f2 | cut -d')' -f1`
+BALL=$NAME-$VER.tar.gz
+web=/home/httpd/html/510sg/$NAME
+GZ=$web/packages/$BALL
+
+t='ams ns1 mbmg'
 for i in $t; do
-    scp $n*gz $i:/tmp
-    me $i "cd /tmp; tar xfz $n*gz"
-    me $i "cd /tmp/$n-$v; ./configure"
-    me $i "cd /tmp/$n-$v; make"
-    me $i "cd /tmp/$n-$v; make install"
-    me $i "/etc/rc.d/init.d/$n stop"
+    scp $GZ $i:/tmp
+    me $i "cd /tmp; tar xfz $BALL"
+    me $i "cd /tmp/$NAME-$VER; ./configure"
+    me $i "cd /tmp/$NAME-$VER; make"
+    me $i "cd /tmp/$NAME-$VER; make install"
+    me $i "/etc/rc.d/init.d/$NAME stop"
     me $i "/sbin/iptables -F INPUT"
-    me $i "cd /tmp/$n-$v; make chkconfig"
+    me $i "cd /tmp/$NAME-$VER; make chkconfig"
     if [ -f remote.$i ]; then
-        scp remote.$i $i:/etc/$n.conf
+        scp remote.$i $i:/etc/$NAME.conf
+    else
+        scp /etc/$NAME.conf $i:/etc/$NAME.conf
     fi
+    me $i "/etc/rc.d/init.d/$NAME start"
 done
--- a/src/syslog2iptables.cpp	Sat Dec 24 06:27:00 2005 -0800
+++ b/src/syslog2iptables.cpp	Sun Jan 08 12:36:57 2006 -0800
@@ -20,7 +20,7 @@
 
 // debug levels:
 // 4 - show syslog lines that match regex
-// 3 - show iptables commands
+// 3 - show addresses being dropped/released from the filter
 // 2 - show files open/close
 // 1 - show config files loading
 
--- a/src/syslogconfig.cpp	Sat Dec 24 06:27:00 2005 -0800
+++ b/src/syslogconfig.cpp	Sun Jan 08 12:36:57 2006 -0800
@@ -61,9 +61,10 @@
 class IPR {
 	ip_buckets	violations;
 public:
-	void add(int ip, int amount, CONFIG &con);
-	void changed(CONFIG &con);
+	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index);
 	void leak(int amount, CONFIG &con);
+	void update(int ip, bool added, char *file_name, int pattern_index);
+	void changed(CONFIG &con, int ip, bool added);
 };
 
 IPR recorder;
@@ -71,14 +72,18 @@
 
 ////////////////////////////////////////////////
 //
-void IPR::add(int ip, int amount, CONFIG &con) {
+void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) {
 	if (con.looking(ip)) {
 		ip_buckets::iterator i = violations.find(ip);
 		if (i == violations.end()) {
 			bucket b;
 			b.count = amount;
-			b.latch = false;
+			b.latch = (con.get_threshold() <= b.count);
 			violations[ip] = b;
+			if (b.latch) {
+				update(ip, true, file_name, pattern_index);
+				changed(con, ip, true);
+			}
 		}
 		else {
 			bucket &b = (*i).second;
@@ -88,7 +93,8 @@
 				b.count += amount;
 				if ((!b.latch) && (c < t) && (t <= b.count)) {
 					b.latch = true;
-					changed(con);
+					update(ip, true, file_name, pattern_index);
+					changed(con, ip, true);
 				}
 			}
 		}
@@ -102,7 +108,10 @@
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
 		if (b.count <= amount) {
-			ch |= b.latch;
+			if (b.latch) {
+				update(ip, false, NULL, 0);
+				ch = true;
+			}
 			violations.erase(i++);
 		}
 		else {
@@ -110,30 +119,50 @@
 			i++;
 		}
 	}
-	if (ch) changed(con);
+	if (ch) changed(con, 0, false);
+}
+
+
+void IPR::update(int ip, bool added, char *file_name, int pattern_index) {
+	if (debug_syslog > 2) {
+		char buf[maxlen];
+		in_addr ad;
+		ad.s_addr = htonl(ip);
+		if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name);
+		else	   snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad));
+		my_syslog(buf);
+	}
 }
 
 
-void IPR::changed(CONFIG &con) {
+void IPR::changed(CONFIG &con, int ip, bool added) {
+	int t = con.get_threshold();
 	char buf[maxlen];
+	if (added) {
+		bucket &b = violations[ip];
+		if (con.looking(ip) && (b.count > t)) {
+			in_addr ad;
+			ad.s_addr = htonl(ip);
+			snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad));
+			system(buf);
+		}
+	}
+	else {
+		// releasing some ip, redo the table
 	snprintf(buf, maxlen, "%s -F INPUT", iptables);
-	if (debug_syslog > 2) {
-		my_syslog(" ");
-		my_syslog(buf);
-	}
 	system(buf);
 	for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
-		if (b.count > con.get_threshold()) {
+			if (con.looking(ip) && (b.count > t)) {
 			in_addr ad;
 			ad.s_addr = htonl(ip);
 			snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad));
-			if (debug_syslog > 2) my_syslog(buf);
 			system(buf);
 		}
 	}
 }
+}
 
 
 ////////////////////////////////////////////////
@@ -176,7 +205,7 @@
 }
 
 
-bool PATTERN::process(char *buf, CONFIG &con) {
+bool PATTERN::process(char *buf, CONFIG &con, char *file_name, int pattern_index) {
 	if (pattern) {
 		const int nmatch = index+1;
 		regmatch_t match[nmatch];
@@ -190,7 +219,7 @@
 				buf[e] = '\0';
 				int ip = ip_address(buf+s);
 				if (ip) {
-					recorder.add(ip, amount, con);
+					recorder.add(ip, amount, con, file_name, pattern_index);
 				}
 				return true;
 			}
@@ -385,9 +414,11 @@
 
 
 void SYSLOGCONFIG::process(CONFIG &con) {
+	int pi=0;
 	for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) {
 		PATTERN *p = *i;
-		if (p->process(buf, con)) break;
+		if (p->process(buf, con, file_name, pi)) break;
+		pi++;
 	}
 }
 
--- a/src/syslogconfig.h	Sat Dec 24 06:27:00 2005 -0800
+++ b/src/syslogconfig.h	Sun Jan 08 12:36:57 2006 -0800
@@ -36,7 +36,7 @@
 public:
 	~PATTERN();
 	PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_);
-	bool	process(char *buf, CONFIG &con);
+	bool	process(char *buf, CONFIG &con, char *file_name, int pattern_index);
 	void	dump(int level);
 };
 
--- a/syslog2iptables.conf	Sat Dec 24 06:27:00 2005 -0800
+++ b/syslog2iptables.conf	Sun Jan 08 12:36:57 2006 -0800
@@ -2,17 +2,14 @@
 
 ignore {
     127.0.0.0/8;        // localhost
-    205.147.40.32/26;   // 510sg
-    205.147.0.100/24;   // digilink
-    205.147.39.128/25;  // ams
 };
 
-file "/var/log/cisco.log" {
-    pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
-        index 2;    // zero based
-        bucket 200;
-    };
-};
+//  file "/var/log/cisco.log" {
+//      pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
+//          index 2;    // zero based
+//          bucket 200;
+//      };
+//  };
 
 file "/var/log/secure" {
     pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
@@ -25,6 +22,35 @@
     };
 };
 
+file "/var/log/httpd/access_log" {
+    pattern "(.*) - - .* /cgi-bin" {
+        index 1;    // zero based
+        bucket 400;
+    };
+    pattern "(.*) - - .*/index2.php" {
+        index 1;    // zero based
+        bucket 400;
+    };
+    pattern "(.*) - - .*/main.php" {
+        index 1;    // zero based
+        bucket 400;
+    };
+};
+
+file "/var/log/httpd/access_acia_log" {
+    pattern "(.*) - - .* /cgi-bin" {
+        index 1;    // zero based
+        bucket 400;
+    };
+};
+
+file "/var/log/httpd/access_510sg_log" {
+    pattern "(.*) - - .* /cgi-bin" {
+        index 1;    // zero based
+        bucket 400;
+    };
+};
+
 //  file "/var/log/messages" {
 //      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
 //          index 1;    // zero based
--- a/syslog2iptables.rc	Sat Dec 24 06:27:00 2005 -0800
+++ b/syslog2iptables.rc	Sun Jan 08 12:36:57 2006 -0800
@@ -22,7 +22,7 @@
         echo -n "Starting syslog2iptables: "
         if [ ! -f /var/lock/subsys/syslog2iptables ]; then
             cd SYSCONFDIR   # conf file is here
-            SBINDIR/syslog2iptables -d 2
+            SBINDIR/syslog2iptables -d 3
             RETVAL=$?
             pid=`pidof -s SBINDIR/syslog2iptables`
             if [ $pid ]