changeset 35:d2ceebcf6595 stable-1-7

add message description in patterns
author carl
date Tue, 18 Sep 2007 09:54:22 -0700
parents a3fee10284e2
children 6a2f26976898
files ChangeLog NEWS configure.in src/syslogconfig.cpp src/syslogconfig.h syslog2iptables.conf xml/syslog2iptables.in
diffstat 7 files changed, 98 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Sun Sep 09 15:46:03 2007 -0700
+++ b/ChangeLog	Tue Sep 18 09:54:22 2007 -0700
@@ -1,6 +1,10 @@
     $Id$
 
-1.6 2007-09-30
+1.7 2007-09-18
+    Add description in config file for each regular expression
+    so the log is more readable.
+
+1.6 2007-09-09
     GPL3
 
 1.5 2007-08-30
--- a/NEWS	Sun Sep 09 15:46:03 2007 -0700
+++ b/NEWS	Tue Sep 18 09:54:22 2007 -0700
@@ -1,9 +1,10 @@
     $Id$
 
-1.6 2007-09-30 gpl3.
+1.7 2007-09-18 Add description in config file for each regular expression.
+1.6 2007-09-09 GPL3.
 1.5 2007-08-30 Fix pre/post scripts in the rpm spec file.
-1.4 2007-06-09 add selinux fixes
-1.3 2006-02-12 add config for iptables commands
-1.2 2006-02-01 add/remove without flushing the table
-1.1 2006-01-08 add syslog entries
+1.4 2007-06-09 Add selinux fixes
+1.3 2006-02-12 Add config for iptables commands
+1.2 2006-02-01 Add/remove without flushing the table
+1.1 2006-01-08 Add syslog entries
 1.0 2005-12-17 Initial release.
--- a/configure.in	Sun Sep 09 15:46:03 2007 -0700
+++ b/configure.in	Tue Sep 18 09:54:22 2007 -0700
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(syslog2iptables,1.6,carl@five-ten-sg.com)
+AC_INIT(syslog2iptables,1.7,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 
--- a/src/syslogconfig.cpp	Sun Sep 09 15:46:03 2007 -0700
+++ b/src/syslogconfig.cpp	Tue Sep 18 09:54:22 2007 -0700
@@ -35,6 +35,7 @@
 char *token_include;
 char *token_index;
 char *token_lbrace;
+char *token_message;
 char *token_pattern;
 char *token_rbrace;
 char *token_remove;
@@ -62,9 +63,9 @@
 class IPR {
 	ip_buckets	violations;
 public:
-	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index);
+	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message);
 	void leak(int amount, CONFIG &con);
-	void update(int ip, bool added, char *file_name, int pattern_index);
+	void update(int ip, bool added, char *file_name, int pattern_index, char *message);
 	void changed(CONFIG &con, int ip, bool added);
 };
 
@@ -73,7 +74,7 @@
 
 ////////////////////////////////////////////////
 //
-void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) {
+void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message) {
 	if (con.looking(ip)) {
 		ip_buckets::iterator i = violations.find(ip);
 		if (i == violations.end()) {
@@ -82,7 +83,7 @@
 			b.latch = (con.get_threshold() <= b.count);
 			violations[ip] = b;
 			if (b.latch) {
-				update(ip, true, file_name, pattern_index);
+				update(ip, true, file_name, pattern_index, message);
 				changed(con, ip, true);
 			}
 		}
@@ -94,7 +95,7 @@
 				b.count += amount;
 				if ((!b.latch) && (c < t) && (t <= b.count)) {
 					b.latch = true;
-					update(ip, true, file_name, pattern_index);
+					update(ip, true, file_name, pattern_index, message);
 					changed(con, ip, true);
 				}
 			}
@@ -109,7 +110,7 @@
 		bucket &b = (*i).second;
 		if (b.count <= amount) {
 			if (b.latch) {
-				update(ip, false, NULL, 0);
+				update(ip, false, NULL, 0, NULL);
 				changed(con, ip, false);
 			}
 			violations.erase(i++);
@@ -122,12 +123,15 @@
 }
 
 
-void IPR::update(int ip, bool added, char *file_name, int pattern_index) {
+void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) {
 	if (debug_syslog > 2) {
 		char buf[maxlen];
 		in_addr ad;
 		ad.s_addr = htonl(ip);
-		if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name);
+		if (added) {
+			if (message) snprintf(buf, maxlen, "dropping traffic from/to %s based on %s in %s", inet_ntoa(ad), message, file_name);
+			else		 snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name);
+		}
 		else	   snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad));
 		my_syslog(buf);
 	}
@@ -172,10 +176,11 @@
 
 ////////////////////////////////////////////////
 //
-PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_) {
+PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_) {
 	pattern = pattern_;
 	index	= index_;
 	amount	= amount_;
+	message = msg_;
 	if (pattern) {
 		int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED);
 		if (rc) {
@@ -209,7 +214,7 @@
 				buf[e] = '\0';
 				int ip = ip_address(buf+s);
 				if (ip) {
-					recorder.add(ip, amount, con, file_name, pattern_index);
+					recorder.add(ip, amount, con, file_name, pattern_index, message);
 				}
 				return true;
 			}
@@ -227,6 +232,7 @@
 	printf("%s pattern \"%s\" {; \n", indent, pattern);
 	printf("%s     index %d; \n", indent, index);
 	printf("%s     bucket %d; \n", indent, amount);
+	if (message) printf("%s     message \"%s\"; \n", indent, message);
 	printf("%s }; \n", indent);
 }
 
@@ -488,6 +494,7 @@
 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) {
 	char *pat = tok.next();
 	int  ind, buc;
+	char *msg = NULL;
 	if (!tsa(tok, token_lbrace)) return false;
 	while (true) {
 		char *have = tok.next();
@@ -503,13 +510,17 @@
 			buc  = atoi(have);
 			if (!tsa(tok, token_semi)) return false;
 		}
+		else if (have == token_message) {
+			msg = tok.next();
+			if (!tsa(tok, token_semi)) return false;
+		}
 		else {
 			tok.token_error("index/bucket", have);
 			return false;
 		}
 	}
 	if (!tsa(tok, token_semi)) return false;
-	PATTERNP patt = new PATTERN(tok, pat, ind, buc);
+	PATTERNP patt = new PATTERN(tok, pat, ind, buc, msg);
 	con.add_pattern(patt);
 	return true;
 }
@@ -662,6 +673,7 @@
 	token_include	 = register_string("include");
 	token_index 	 = register_string("index");
 	token_lbrace	 = register_string("{");
+	token_message	 = register_string("message");
 	token_pattern	 = register_string("pattern");
 	token_rbrace	 = register_string("}");
 	token_remove	 = register_string("remove_command");
--- a/src/syslogconfig.h	Sun Sep 09 15:46:03 2007 -0700
+++ b/src/syslogconfig.h	Tue Sep 18 09:54:22 2007 -0700
@@ -33,9 +33,10 @@
 	regex_t 		re;
 	int 			index;		// zero based substring of the regex match that contains the ip address or hostname
 	int 			amount; 	// count to add to the ip address leaky bucket
+	char *			message;	// for logging, owned by the string table
 public:
 	~PATTERN();
-	PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_);
+	PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_);
 	bool	process(char *buf, CONFIG &con, char *file_name, int pattern_index);
 	void	dump(int level);
 };
--- a/syslog2iptables.conf	Sun Sep 09 15:46:03 2007 -0700
+++ b/syslog2iptables.conf	Tue Sep 18 09:54:22 2007 -0700
@@ -11,6 +11,7 @@
 //      pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
 //          index 2;    // zero based
 //          bucket 200;
+//          message "cisco firewall blocked packet";
 //      };
 //  };
 
@@ -18,10 +19,12 @@
     pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
     };
     pattern "sshd.*Failed password .* from (.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
     };
 };
 
@@ -29,14 +32,25 @@
     pattern "(.*) - - .* /cgi-bin" {
         index 1;    // zero based
         bucket 400;
+        message "apache cgi-bin reference";
     };
     pattern "(.*) - - .*/index2.php" {
         index 1;    // zero based
         bucket 400;
+        message "apache index2.php reference";
     };
     pattern "(.*) - - .*/main.php" {
         index 1;    // zero based
         bucket 400;
+        message "apache main.php reference";
+    };
+};
+
+file "/var/log/maillog" {
+    pattern "lost input channel from .* \[(.*)\] .* after mail" {
+        index 1;    // zero based
+        bucket 200;
+        message "sendmail spammer dropping connection";
     };
 };
 
@@ -44,9 +58,11 @@
 //      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
 //          index 1;    // zero based
 //          bucket 300;
+//          message "ssh failed password";
 //      };
 //      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
 //          index 1;    // zero based
 //          bucket 300;
+//          message "ssh failed password";
 //      };
 //  };
--- a/xml/syslog2iptables.in	Sun Sep 09 15:46:03 2007 -0700
+++ b/xml/syslog2iptables.in	Tue Sep 18 09:54:22 2007 -0700
@@ -187,9 +187,11 @@
 IGNORE    := "ignore" "{" IG-SINGLE+ "};"
 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
 FILE      := "file" FILENAME "{" PATTERN+ "};"
-PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};"
+PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
 INDEX     := "index" REGEX-INTEGER-VALUE ";"
 BUCKET    := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
+MESSAGE   := "message" REASON ";"
+REASON    := string to appear in syslog messages
 IPT-CMD   := string containing exactly one %s replacement token for
              the ip address]]></literallayout>
         </refsect1>
@@ -210,6 +212,7 @@
     pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
         index 2;    // zero based
         bucket 200;
+        message "cisco firewall blocked packet";
     };
 };
 
@@ -217,10 +220,51 @@
     pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
     };
     pattern "sshd.*Failed password .* from (.*) port" {
         index 1;    // zero based
         bucket 400;
+        message "ssh failed password";
+    };
+};
+
+file "/var/log/httpd/access_log" {
+    pattern "(.*) - - .* /cgi-bin" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache cgi-bin reference";
+    };
+    pattern "(.*) - - .*/index2.php" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache index2.php reference";
+    };
+    pattern "(.*) - - .*/main.php" {
+        index 1;    // zero based
+        bucket 400;
+        message "apache main.php reference";
+    };
+};
+
+file "/var/log/maillog" {
+    pattern "lost input channel from .* \[(.*)\] .* after mail" {
+        index 1;    // zero based
+        bucket 200;
+        message "sendmail spammer dropping connection";
+    };
+};
+
+file "/var/log/messages" {
+    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
+        index 1;    // zero based
+        bucket 300;
+        message "ssh failed password";
+    };
+    pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
+        index 1;    // zero based
+        bucket 300;
+        message "ssh failed password";
     };
 };]]></literallayout>
         </refsect1>