Hi, It's such a great idea, that I posted on my blog about it. Thanks for both the idea and the implementation. And of course your possible pattern additions are more than welcome. On Sun, 2011-02-20 at 23:06 +0100, Valentijn Sessink wrote:
Hi list,
For a week or so, I'm gathering the building blocks for a sort of low-tech intrusion detection/prevention system.
My "itch": having a system that acts "real time" on the log messages that various daemons produce; having it low profile; easy to get it to act (i.e. no scripts that call scripts that call other scripts). For example, if sshd says "invalid user", I'd like the firewall to act on this, with as little steps in between as possible. Luckily, syslog-ng is able to find patterns all by itself, so I'm able to "skip the middle man", i.e. I can use syslog-ng directly on the firewalling rules. And what is better: I'm not even using the program() call!
I'm currently running such a system in pre-production and I'm delighted. It's really easy to build. It works like a charm. Here's how:
-- Bazsi