On Wed, 2004-09-15 at 22:41, Ow Mun Heng wrote: > On Thu, 2004-09-16 at 09:34, Dale Sykora wrote: > > Do you know > > of any SIPTO type program or script? SIPTO (which I just made up) means > > Source IP Time Out (think child behavior deterant). It would watch the > > logs for admin defined bad behavior from a connecting IP and then > > temporarily ban that IP (time-out via iptables) for 15 minutes or so > > after 3 occurances in a given time frame. For example, SME server adds > > a denylog line to /var/log/messages when an external IP tries to connect > > to a closed port. I would like something to watch this 'tail -f?' and > > add an iptables rule to drop all connections from this IP address for a > > short time frame (extendible if other attemps are made). I would like > > this to be generic enough to shut down access to zombies that try and > > send viruses thru my email server, or systems that think I run IIS and > > look for cmd.com/etc... as well. Someone it the past mentioned an IDS, > > but that seems CPU/network intensive. I simple want to watch the logs > > and block the bad/zombie machines that tend to fill the logs. > > Wouldn't portsentry do that? Then again, portsentry would only determine > if a port which is marked as "secure" shouldn't be touched by anyone > except a allowed list, and will deny that IP dynamically. > > On the other hand, there's swatch which will watch the logs for you > based on regex expressions and I guess you can write a script for it to > parse when it detects malware > I think you want to look at snort for this kind of functionality. -- Scot L. Harris webid@xxxxxxxxxx Type louder, please.
