From: Andres <and...@gm...> - 2007-12-03 16:56:13
|
Hi, I have been using fail2ban for more then one year, with great satisfaction. One of my few problems is that: 1) I always make a mess when I have to write a new rule 2) I cannot upgrade fail2ban to the last version, because I'm using centos 4.x and I'm not too keen on keeping 2 versions of python One of my servers had some problems during the weekend, and I'm trying to parse snort's log too into fail2ban. This is an example of log entries in the snort log: 12/03-08:44:23.634868 [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 62.149.197.109:80 -> 62.213.116.249:51517 12/03-12:05:38.697901 [**] [1:2003:8] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 219.133.37.41:1089 -> 62.149.202.73:1434 12/03-17:30:12.373043 [**] [1:486:4] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 79.21.69.143 -> 62.149.197.69 I have drafted a configuration, and doesn't work. Could anyone have a look at it? [SNORT] enabled = true port = httpd logfile = /var/log/snort/alert # 11/30-19:33:24 timeregex = \d{1,2}/\d{1,2}-\d{1,2}:\d{1,2}:\d{1,2} timepattern = %%m/%%d%%H:%%M:%%S failregex = \{TCP\} <host>|\{UDP\} <host>|\{ICMP\} <host> Moreover: as snort is monitoring more than one port, I would like it to block all the activity for an IP, when a problem is found (not just on the http port). What would be the syntax for that? At the present time, the chain is created, but the log is not parsed correctly - no offending lines are found (or the ips are not parsed correctly). This is what I get: Chain fail2ban-SNORT (0 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Any suggestions? Thanks in advance, Andres |