Mercurial > syslog2iptables

changeset 5:276c4edc8521

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial coding
author carl
date Fri, 02 Dec 2005 17:52:44 -0800
parents 2737ab01659a
children 128cae6f3459
files Doxyfile Makefile.am TODO src/Makefile.am src/Makefile.in src/syslog2iptables.cpp src/syslog2iptables.h src/syslogconfig.cpp src/tokenizer.h syslog2iptables.conf
diffstat 10 files changed, 126 insertions(+), 94 deletions(-) [+]
line wrap: on
line diff
--- a/Doxyfile	Thu Dec 01 17:17:37 2005 -0800
+++ b/Doxyfile	Fri Dec 02 17:52:44 2005 -0800
@@ -123,7 +123,7 @@
                          *.moc \
                          *.xpm \
                          *.dox
-RECURSIVE              = yes
+RECURSIVE              = YES
 EXCLUDE                = 
 EXCLUDE_SYMLINKS       = NO
 EXCLUDE_PATTERNS       = 
@@ -195,14 +195,14 @@
 #---------------------------------------------------------------------------
 # configuration options related to the man page output
 #---------------------------------------------------------------------------
-GENERATE_MAN           = NO
+GENERATE_MAN           = YES
 MAN_OUTPUT             = man
 MAN_EXTENSION          = .3
-MAN_LINKS              = NO
+MAN_LINKS              = YES
 #---------------------------------------------------------------------------
 # configuration options related to the XML output
 #---------------------------------------------------------------------------
-GENERATE_XML           = yes
+GENERATE_XML           = YES
 XML_OUTPUT             = xml
 XML_SCHEMA             = 
 XML_DTD                = 
--- a/TODO	Thu Dec 01 17:17:37 2005 -0800
+++ b/TODO	Fri Dec 02 17:52:44 2005 -0800
@@ -1,5 +1,3 @@
 1) Configurable limit on size of drop table
 2) If size exceeded, mail to root but not more often than once per 6 hours.
    and only use the larger count items?
-3) Configure an export file and command to allow pushing the filters
-   to other systems.
--- a/src/Makefile.am	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/Makefile.am	Fri Dec 02 17:52:44 2005 -0800
@@ -1,6 +1,6 @@
-bin_PROGRAMS = syslog2iptables
+sbin_PROGRAMS = syslog2iptables
 syslog2iptables_SOURCES = syslog2iptables.cpp tokenizer.cpp tokenizer.h \
-	includes.h syslogconfig.cpp syslogconfig.h
+		includes.h syslogconfig.cpp syslogconfig.h syslog2iptables.h
 
 # set the include path found by configure
 INCLUDES= $(all_includes)
--- a/src/Makefile.in	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/Makefile.in	Fri Dec 02 17:52:44 2005 -0800
@@ -38,7 +38,7 @@
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-bin_PROGRAMS = syslog2iptables$(EXEEXT)
+sbin_PROGRAMS = syslog2iptables$(EXEEXT)
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -48,9 +48,9 @@
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)"
-binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(bin_PROGRAMS)
+am__installdirs = "$(DESTDIR)$(sbindir)"
+sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(sbin_PROGRAMS)
 am_syslog2iptables_OBJECTS = syslog2iptables.$(OBJEXT) \
 	tokenizer.$(OBJEXT) syslogconfig.$(OBJEXT)
 syslog2iptables_OBJECTS = $(am_syslog2iptables_OBJECTS)
@@ -176,7 +176,7 @@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 syslog2iptables_SOURCES = syslog2iptables.cpp tokenizer.cpp tokenizer.h \
-	includes.h syslogconfig.cpp syslogconfig.h
+		includes.h syslogconfig.cpp syslogconfig.h syslog2iptables.h
 
 
 # set the include path found by configure
@@ -217,30 +217,30 @@
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-binPROGRAMS: $(bin_PROGRAMS)
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
 	     || test -f $$p1 \
 	  ; then \
 	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \
 	  else :; fi; \
 	done
 
-uninstall-binPROGRAMS:
+uninstall-sbinPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(bindir)/$$f"; \
+	  echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(sbindir)/$$f"; \
 	done
 
-clean-binPROGRAMS:
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+clean-sbinPROGRAMS:
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
@@ -369,7 +369,7 @@
 check: check-am
 all-am: Makefile $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)"; do \
+	for dir in "$(DESTDIR)$(sbindir)"; do \
 	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
 	done
 install: install-am
@@ -398,7 +398,8 @@
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
+clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
+	mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -418,7 +419,7 @@
 
 install-data-am:
 
-install-exec-am: install-binPROGRAMS
+install-exec-am: install-sbinPROGRAMS
 
 install-info: install-info-am
 
@@ -444,19 +445,20 @@
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am
+uninstall-am: uninstall-info-am uninstall-sbinPROGRAMS
 
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \
-	clean-generic clean-libtool ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-sbinPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
 	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am
+	install-sbinPROGRAMS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-sbinPROGRAMS
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
--- a/src/syslog2iptables.cpp	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/syslog2iptables.cpp	Fri Dec 02 17:52:44 2005 -0800
@@ -18,6 +18,10 @@
  *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
  ***************************************************************************/
 
+// debug levels:
+// 4 - show syslog lines that match regex
+// 3 - show files open/close
+// 1 - show config files loading
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -56,7 +60,7 @@
 	if (use_syslog) {
 		pthread_mutex_lock(&syslog_mutex);
 			if (!syslog_opened) {
-				openlog("syslog2iptables", LOG_PID, LOG_MAIL);
+				openlog("syslog2iptables", LOG_PID, LOG_AUTHPRIV);
 				syslog_opened = true;
 			}
 			syslog(LOG_NOTICE, "%s", text);
@@ -166,43 +170,15 @@
 void usage(char *prog);
 void usage(char *prog)
 {
+	fprintf(stderr, "Usage: %s  [-d [level]] [-c]\n", prog);
+	fprintf(stderr, "-c will load and dump the config to stdout\n");
+	fprintf(stderr, "-d will set the syslog message level, currently 0 to 3\n");
 }
 
 
-int main(int argc, char *argv[])
+void worker();
+void worker()
 {
-	token_init();
-	bool check	 = true;
-	int c;
-	const char *args = "ch";
-	extern char *optarg;
-
-	// Process command line options
-	while ((c = getopt(argc, argv, args)) != -1) {
-		switch (c) {
-			case 'c':
-				check = true;
-				break;
-
-			case 'h':
-			default:
-				usage(argv[0]);
-				exit(EX_USAGE);
-		}
-	}
-
-	if (check) {
-		use_syslog	 = false;
-		debug_syslog = 10;
-		config = new_conf();
-		if (config) {
-			config->dump();
-			{
-				// just for testing
-				// initialize the thread sync objects
-				pthread_mutex_init(&config_mutex, 0);
-				pthread_mutex_init(&syslog_mutex, 0);
-
 				time_t t = time(NULL);
 				CONFIG *c;
 				pthread_mutex_lock(&config_mutex);
@@ -221,6 +197,41 @@
 					c->sleep(10, t);
 				}
 			}
+
+
+int main(int argc, char *argv[])
+{
+	token_init();
+	bool check = false;
+	int c;
+	const char *args = "d:ch";
+	extern char *optarg;
+
+	// Process command line options
+	while ((c = getopt(argc, argv, args)) != -1) {
+		switch (c) {
+			case 'c':
+				check = true;
+				break;
+
+			case 'd':
+				if (optarg == NULL || *optarg == '\0') debug_syslog = 1;
+				else								   debug_syslog = atoi(optarg);
+				break;
+
+			case 'h':
+			default:
+				usage(argv[0]);
+				exit(EX_USAGE);
+		}
+	}
+
+	if (check) {
+		use_syslog	 = false;
+		debug_syslog = 10;
+		config = new_conf();
+		if (config) {
+			config->dump();
 			delete config;
 			return 0;
 		}
@@ -284,6 +295,7 @@
 	if (pthread_detach(tid))
 		my_syslog("failed to detach config loader thread");
 
-	loader_run = false; 	// eventually the config loader thread will terminate
+	worker();
+
 	return EXIT_SUCCESS;
 }
--- a/src/syslog2iptables.h	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/syslog2iptables.h	Fri Dec 02 17:52:44 2005 -0800
@@ -1,1 +1,2 @@
 void my_syslog(char *text);
+extern int debug_syslog;
--- a/src/syslogconfig.cpp	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/syslogconfig.cpp	Fri Dec 02 17:52:44 2005 -0800
@@ -101,11 +101,6 @@
 	for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) {
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
-	 // in_addr ad;
-	 // ad.s_addr = htonl(ip);
-	 // char buf[maxlen];
-	 // snprintf(buf, maxlen, "leak %s with %d count", inet_ntoa(ad), n);
-	 // my_syslog(buf);
 		if (b.count <= amount) {
 			ch |= b.latch;
 			violations.erase(i++);
@@ -122,8 +117,11 @@
 void IPR::changed(CONFIG &con) {
 	char buf[maxlen];
 	snprintf(buf, maxlen, "%s -F INPUT", iptables);
+	if (debug_syslog > 2) {
 	my_syslog(" ");
 	my_syslog(buf);
+	}
+	system(buf);
 	for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
@@ -131,7 +129,8 @@
 			in_addr ad;
 			ad.s_addr = htonl(ip);
 			snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad));
-			my_syslog(buf);
+			if (debug_syslog > 2) my_syslog(buf);
+			system(buf);
 		}
 	}
 }
@@ -184,10 +183,10 @@
 		if (0 == regexec(&re, buf, nmatch, match, 0)) {
 			int s = match[index].rm_so;
 			int e = match[index].rm_eo;
-		//	char bu[maxlen];
-		//	snprintf(bu, maxlen, "re match from %d to %d", s, e);
-		//	my_syslog(bu);
 			if (s != -1) {
+				if (debug_syslog > 3) {
+					my_syslog(buf); // show lines with matches
+				}
 				buf[e] = '\0';
 				int ip = ip_address(buf+s);
 				if (ip) {
@@ -317,10 +316,13 @@
 		}
 	}
 	else {
+		if (debug_syslog > 1) {
+			snprintf(buf, sizeof(buf), "syslog file %s opened", file_name);
+			my_syslog(buf);
+		}
 		lseek(fd, 0, SEEK_END);
 		if (fstat(fd, &openfdstat)) {
 			close();
-			char buf[maxlen];
 			snprintf(buf, sizeof(buf), "syslog file %s cannot stat after open", file_name);
 			tokp->token_error(buf);
 		}
@@ -369,6 +371,10 @@
 
 
 void SYSLOGCONFIG::close() {
+	if (debug_syslog > 1) {
+		snprintf(buf, sizeof(buf), "syslog file %s closed", file_name);
+		my_syslog(buf);
+	}
 	if (fd != -1) ::close(fd);
 	fd = -1;
 }
--- a/src/tokenizer.h	Thu Dec 01 17:17:37 2005 -0800
+++ b/src/tokenizer.h	Fri Dec 02 17:52:44 2005 -0800
@@ -63,8 +63,8 @@
 	int 	nextint();
 	void	skipeol();			// skip to eol
 	void	push(char *token)			{pending_tokens.push_front(token);};
-	char	*cur_fn()					{return filenames.front();};
-	int 	cur_line()					{return linenumbers.front();};
+	const char	*cur_fn()					{return filenames.empty()	? "" : filenames.front();};
+	int 		cur_line()					{return linenumbers.empty() ? 0  : linenumbers.front();};
 	void	token_error(const char *err);
 	void	token_error(const char *fmt, int d, const char *s);
 	void	token_error(const char *fmt, const char *t, const char *h);
--- a/syslog2iptables.conf	Thu Dec 01 17:17:37 2005 -0800
+++ b/syslog2iptables.conf	Fri Dec 02 17:52:44 2005 -0800
@@ -7,14 +7,25 @@
     205.147.39.128/25;  // ams
 };
 
-file "mycisco.log" {
+file "/var/log/cisco.log" {
     pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
         index 2;    // zero based
         bucket 200;
     };
 };
 
-file "mymessages.log" {
+file "/var/log/secure" {
+    pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
+        index 1;    // zero based
+        bucket 300;
+    };
+    pattern "sshd.*Failed password .* from (.*) port" {
+        index 1;    // zero based
+        bucket 300;
+    };
+};
+
+file "/var/log/messages" {
     pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
         index 1;    // zero based
         bucket 300;