Mercurial > syslog2iptables
changeset 35:d2ceebcf6595 stable-1-7
add message description in patterns
author | carl |
---|---|
date | Tue, 18 Sep 2007 09:54:22 -0700 |
parents | a3fee10284e2 |
children | 6a2f26976898 |
files | ChangeLog NEWS configure.in src/syslogconfig.cpp src/syslogconfig.h syslog2iptables.conf xml/syslog2iptables.in |
diffstat | 7 files changed, 98 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Sun Sep 09 15:46:03 2007 -0700 +++ b/ChangeLog Tue Sep 18 09:54:22 2007 -0700 @@ -1,6 +1,10 @@ $Id$ -1.6 2007-09-30 +1.7 2007-09-18 + Add description in config file for each regular expression + so the log is more readable. + +1.6 2007-09-09 GPL3 1.5 2007-08-30
--- a/NEWS Sun Sep 09 15:46:03 2007 -0700 +++ b/NEWS Tue Sep 18 09:54:22 2007 -0700 @@ -1,9 +1,10 @@ $Id$ -1.6 2007-09-30 gpl3. +1.7 2007-09-18 Add description in config file for each regular expression. +1.6 2007-09-09 GPL3. 1.5 2007-08-30 Fix pre/post scripts in the rpm spec file. -1.4 2007-06-09 add selinux fixes -1.3 2006-02-12 add config for iptables commands -1.2 2006-02-01 add/remove without flushing the table -1.1 2006-01-08 add syslog entries +1.4 2007-06-09 Add selinux fixes +1.3 2006-02-12 Add config for iptables commands +1.2 2006-02-01 Add/remove without flushing the table +1.1 2006-01-08 Add syslog entries 1.0 2005-12-17 Initial release.
--- a/configure.in Sun Sep 09 15:46:03 2007 -0700 +++ b/configure.in Tue Sep 18 09:54:22 2007 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(syslog2iptables,1.6,carl@five-ten-sg.com) +AC_INIT(syslog2iptables,1.7,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h])
--- a/src/syslogconfig.cpp Sun Sep 09 15:46:03 2007 -0700 +++ b/src/syslogconfig.cpp Tue Sep 18 09:54:22 2007 -0700 @@ -35,6 +35,7 @@ char *token_include; char *token_index; char *token_lbrace; +char *token_message; char *token_pattern; char *token_rbrace; char *token_remove; @@ -62,9 +63,9 @@ class IPR { ip_buckets violations; public: - void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index); + void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message); void leak(int amount, CONFIG &con); - void update(int ip, bool added, char *file_name, int pattern_index); + void update(int ip, bool added, char *file_name, int pattern_index, char *message); void changed(CONFIG &con, int ip, bool added); }; @@ -73,7 +74,7 @@ //////////////////////////////////////////////// // -void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) { +void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message) { if (con.looking(ip)) { ip_buckets::iterator i = violations.find(ip); if (i == violations.end()) { @@ -82,7 +83,7 @@ b.latch = (con.get_threshold() <= b.count); violations[ip] = b; if (b.latch) { - update(ip, true, file_name, pattern_index); + update(ip, true, file_name, pattern_index, message); changed(con, ip, true); } } @@ -94,7 +95,7 @@ b.count += amount; if ((!b.latch) && (c < t) && (t <= b.count)) { b.latch = true; - update(ip, true, file_name, pattern_index); + update(ip, true, file_name, pattern_index, message); changed(con, ip, true); } } @@ -109,7 +110,7 @@ bucket &b = (*i).second; if (b.count <= amount) { if (b.latch) { - update(ip, false, NULL, 0); + update(ip, false, NULL, 0, NULL); changed(con, ip, false); } violations.erase(i++); @@ -122,12 +123,15 @@ } -void IPR::update(int ip, bool added, char *file_name, int pattern_index) { +void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) { if (debug_syslog > 2) { char buf[maxlen]; in_addr ad; ad.s_addr = htonl(ip); - if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); + if (added) { + if (message) snprintf(buf, maxlen, "dropping traffic from/to %s based on %s in %s", inet_ntoa(ad), message, file_name); + else snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); + } else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); my_syslog(buf); } @@ -172,10 +176,11 @@ //////////////////////////////////////////////// // -PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_) { +PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_) { pattern = pattern_; index = index_; amount = amount_; + message = msg_; if (pattern) { int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED); if (rc) { @@ -209,7 +214,7 @@ buf[e] = '\0'; int ip = ip_address(buf+s); if (ip) { - recorder.add(ip, amount, con, file_name, pattern_index); + recorder.add(ip, amount, con, file_name, pattern_index, message); } return true; } @@ -227,6 +232,7 @@ printf("%s pattern \"%s\" {; \n", indent, pattern); printf("%s index %d; \n", indent, index); printf("%s bucket %d; \n", indent, amount); + if (message) printf("%s message \"%s\"; \n", indent, message); printf("%s }; \n", indent); } @@ -488,6 +494,7 @@ bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) { char *pat = tok.next(); int ind, buc; + char *msg = NULL; if (!tsa(tok, token_lbrace)) return false; while (true) { char *have = tok.next(); @@ -503,13 +510,17 @@ buc = atoi(have); if (!tsa(tok, token_semi)) return false; } + else if (have == token_message) { + msg = tok.next(); + if (!tsa(tok, token_semi)) return false; + } else { tok.token_error("index/bucket", have); return false; } } if (!tsa(tok, token_semi)) return false; - PATTERNP patt = new PATTERN(tok, pat, ind, buc); + PATTERNP patt = new PATTERN(tok, pat, ind, buc, msg); con.add_pattern(patt); return true; } @@ -662,6 +673,7 @@ token_include = register_string("include"); token_index = register_string("index"); token_lbrace = register_string("{"); + token_message = register_string("message"); token_pattern = register_string("pattern"); token_rbrace = register_string("}"); token_remove = register_string("remove_command");
--- a/src/syslogconfig.h Sun Sep 09 15:46:03 2007 -0700 +++ b/src/syslogconfig.h Tue Sep 18 09:54:22 2007 -0700 @@ -33,9 +33,10 @@ regex_t re; int index; // zero based substring of the regex match that contains the ip address or hostname int amount; // count to add to the ip address leaky bucket + char * message; // for logging, owned by the string table public: ~PATTERN(); - PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_); + PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_); bool process(char *buf, CONFIG &con, char *file_name, int pattern_index); void dump(int level); };
--- a/syslog2iptables.conf Sun Sep 09 15:46:03 2007 -0700 +++ b/syslog2iptables.conf Tue Sep 18 09:54:22 2007 -0700 @@ -11,6 +11,7 @@ // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { // index 2; // zero based // bucket 200; +// message "cisco firewall blocked packet"; // }; // }; @@ -18,10 +19,12 @@ pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; + message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; + message "ssh failed password"; }; }; @@ -29,14 +32,25 @@ pattern "(.*) - - .* /cgi-bin" { index 1; // zero based bucket 400; + message "apache cgi-bin reference"; }; pattern "(.*) - - .*/index2.php" { index 1; // zero based bucket 400; + message "apache index2.php reference"; }; pattern "(.*) - - .*/main.php" { index 1; // zero based bucket 400; + message "apache main.php reference"; + }; +}; + +file "/var/log/maillog" { + pattern "lost input channel from .* \[(.*)\] .* after mail" { + index 1; // zero based + bucket 200; + message "sendmail spammer dropping connection"; }; }; @@ -44,9 +58,11 @@ // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { // index 1; // zero based // bucket 300; +// message "ssh failed password"; // }; // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { // index 1; // zero based // bucket 300; +// message "ssh failed password"; // }; // };
--- a/xml/syslog2iptables.in Sun Sep 09 15:46:03 2007 -0700 +++ b/xml/syslog2iptables.in Tue Sep 18 09:54:22 2007 -0700 @@ -187,9 +187,11 @@ IGNORE := "ignore" "{" IG-SINGLE+ "};" IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" FILE := "file" FILENAME "{" PATTERN+ "};" -PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};" +PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" INDEX := "index" REGEX-INTEGER-VALUE ";" BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" +MESSAGE := "message" REASON ";" +REASON := string to appear in syslog messages IPT-CMD := string containing exactly one %s replacement token for the ip address]]></literallayout> </refsect1> @@ -210,6 +212,7 @@ pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { index 2; // zero based bucket 200; + message "cisco firewall blocked packet"; }; }; @@ -217,10 +220,51 @@ pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; + message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; + message "ssh failed password"; + }; +}; + +file "/var/log/httpd/access_log" { + pattern "(.*) - - .* /cgi-bin" { + index 1; // zero based + bucket 400; + message "apache cgi-bin reference"; + }; + pattern "(.*) - - .*/index2.php" { + index 1; // zero based + bucket 400; + message "apache index2.php reference"; + }; + pattern "(.*) - - .*/main.php" { + index 1; // zero based + bucket 400; + message "apache main.php reference"; + }; +}; + +file "/var/log/maillog" { + pattern "lost input channel from .* \[(.*)\] .* after mail" { + index 1; // zero based + bucket 200; + message "sendmail spammer dropping connection"; + }; +}; + +file "/var/log/messages" { + pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { + index 1; // zero based + bucket 300; + message "ssh failed password"; + }; + pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { + index 1; // zero based + bucket 300; + message "ssh failed password"; }; };]]></literallayout> </refsect1>