[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: reviewing httpd access log

To: J Moore <jaymo@cullmail.com>
Subject: Re: reviewing httpd access log
From: Chris Kuethe <ckuethe@ualberta.ca>
Date: Mon, 2 Aug 2004 17:56:29 -0600 (MDT)
Cc: misc@openbsd.org
References: <20040801174234.GA76@kingcull.cullmail.com>

On Sun, 1 Aug 2004, J Moore wrote:

> Reviewing my /var/www/logs/access_log file it seems there are a lot of
> "bogus" entries; i.e. people trying various hacks, looking for
> weaknesses, testing for win32, etc, etc.
>
> Is there a good technique for automatically identifying these
> trouble-makers? I'd like to be able to build a "deny" table for pf to
> halt repeat offendors, but I can't afford the time to review the logs
> "manually".

Perl, and devel/p5-File-Tail

Works wonders. tail the file, match lines in the log, and ... do stuff.
Which may include bashing an address into a table and writing a log
message.

I've got a working honeypot network somewhere that does exactly this but
works with cisco ACLs instead.

CK

-- 
Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
       office: 157 General Services Bldg.    +1.780.492.8135
               chris.kuethe@[pyxis.cns.]ualberta.ca

      GDB has a 'break' feature; why doesn't it have 'fix' too?

References:
- reviewing httpd access log
  - From: J Moore <jaymo@cullmail.com>

Prev by Date: Re: waking up an ata harddrive from idle/suspend mode without timeouts
Next by Date: Re: reviewing httpd access log
Prev by thread: Re: reviewing httpd access log
Next by thread: 정성을 다하여 고객님이 신뢰할 수 있도록 최선을 다하여 상담해드겠습니다. qexkqchy
Index(es):
- Date
- Thread