i have half a dozen or so daemons that watch various streams of info and then block the evildoer through various means.
some general advice:
when you see a possible evil IP, check the Cache for your statistics on the IP, if there are none then create a Cache entry for your IP and start collecting the numbers. i keep a $ip_short, $ip_medium, and $ip_long counts with seperate Cache entries of varying lifetimes (short = 1min, med = 10min, long = 30min). then while processing each IP you fetch the short entry, add your numbers, and if they pass the short threshold you request a block, otherwise put the entry back in the Cache. do this for each of the short, med, and long counts. if you do make a block request, add a Cache entry for $ip_blocked so you don't keep requesting the same block over and over.
a block request simply puts the offending IP in a database with some info as to why it's being blocked. a blocker process wakes up every 5 minutes and checks the block requests and performs any that it finds. (for me that means external hosts get blocked in a filter on the border router, internal hosts on the Switch Fabric get their port disabled and their MAC address disabled (so they can't just move to another port), internal hosts not on the Switch Fabric get blocked at the router-port closest to them (this is harder and takes much more work).
using the Cache objects keeps you from having to do lot's of time calculations. if the short entry is there when you check, it's been less than a minute since their last failure... so you can easily catch the fast evil in the short entry, and the long slow evil in the long entry.
In reply to Re: Logfile analysis and automatic firewalling
by zengargoyle
in thread Logfile analysis and automatic firewalling
by Notromda
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |