|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: reviewing httpd access log
From: Chris Kuethe (ckuethe
ualberta.ca)
Date: Mon Aug 02 2004 - 18:56:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 1 Aug 2004, J Moore wrote:
> Reviewing my /var/www/logs/access_log file it seems there are a lot of
> "bogus" entries; i.e. people trying various hacks, looking for
> weaknesses, testing for win32, etc, etc.
>
> Is there a good technique for automatically identifying these
> trouble-makers? I'd like to be able to build a "deny" table for pf to
> halt repeat offendors, but I can't afford the time to review the logs
> "manually".
Perl, and devel/p5-File-Tail
Works wonders. tail the file, match lines in the log, and ... do stuff.
Which may include bashing an address into a table and writing a log
message.
I've got a working honeypot network somewhere that does exactly this but
works with cisco ACLs instead.
CK
--
Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
office: 157 General Services Bldg. +1.780.492.8135
chris.kuethe[pyxis.cns.]ualberta.ca
GDB has a 'break' feature; why doesn't it have 'fix' too?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]