On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> A daemon sits running in the background listening to a special device
> (/dev) or an IPC which would originate from syslog-ng. This daemon
> would then parse the log and look for suspicious things. If it found
> something suspicious it would use regular expression to grab out
> pertinent parts of the log (say the IP address) and act on the log
> accordingly (in real time) by say dropping an IPTABLE rule down on the
> IP address.
google for adaptive firewall, maybe you get some hits.
I remember some "guardian" project; but it was conceptually not that
convincing.
some combination of snort and perl script...
speaking of snort: wasn't there an option named "react: block" ?
btw, if you suck on syslog, anyone who is able to fake syslog entries
(and thats about any local user, and maybe some more), can easily DoS
arbitrary ips unless these are on a whitelist... no good!
hth,
Lars Ellenberg
