changeset 61:8b33436dd18b

Update example configuration and documentation.
author Matti Hamalainen <ccr@tnsp.org>
date Mon, 17 Aug 2009 08:22:38 +0300
parents 38885f5f34f6
children 924720517cf9
files README example.conf
diffstat 2 files changed, 30 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/README	Mon Aug 17 08:22:24 2009 +0300
+++ b/README	Mon Aug 17 08:22:38 2009 +0300
@@ -1,4 +1,4 @@
-Malicious Attack Livid Termination Filter daemon (maltfilter) v0.13.1
+Malicious Attack Livid Termination Filter daemon (maltfilter) v0.14.0
 =====================================================================
 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
 (C) Copyright 2009 Tecnic Software productions (TNSP)
@@ -8,20 +8,27 @@
 
 About
 =====
-Automagic management script for adding and removing Netfilter/iptables
-filtering rules based on continuous logfile parsing for certain break-in
-and exploitation scanning attempts.
-
 Maltfilter daemon script continuously scans various system logfiles
-including auth.log, httpd logs, etc. for signs of malicious connections
+including auth.log, httpd logs, etc. for signs of malicious connections,
 break-in and exploitation attempts. The originating IP addresses of
 these connections are then blocked via Netfilter (iptables).
 
+Additionally Maltfilter can generate status reports (either continuously
+in daemon mode, or as once-run report), in plaintext and HTML formats.
+
+Since v0.14, there is also option for gathering "evidence" about certain
+PHP XSS exploit attempts into specified directory. These evidence files
+include the attempted exploit code (if found) and hosts which have tried
+to make your server run it.
+
+
 Requirements:
 
  - Perl 5.8 or later
  - Date::Parse (libtimedate-perl)
  - Net::IP (libnet-ip-perl)
+ - Net::DNS (libnet-dns-perl)
+ - LWP::UserAgent (libwww-perl)
 
 
 Installation
@@ -73,3 +80,4 @@
 You can also run "full" report generation via the "-f" option, in this
 special mode, no automatic weeding is performed, resulting in
 more data being shown.
+
--- a/example.conf	Mon Aug 17 08:22:24 2009 +0300
+++ b/example.conf	Mon Aug 17 08:22:38 2009 +0300
@@ -14,11 +14,11 @@
 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
 DRY_RUN = 1
 
+# Full path to iptables binary
+IPTABLES = "/sbin/iptables"
+
 # Maltfilter logfile path and name (set empty "" if you don't want logging)
 LOGFILE = "/var/log/maltfilter"
-  
-# Full path to iptables binary
-IPTABLES = "/sbin/iptables"
 
 # System passwd file location (default is /etc/passwd), this file
 # is checked to figure out system account names. See also SYSACCT_
@@ -161,3 +161,16 @@
 ## If disabled (0), instead of full timestamps, first/last hit times
 ## will be printed as "W weeks, D days, H hours ago." etc.
 #FULL_TIME           = 1
+
+
+#############################################################################
+### Evidence gathering
+#############################################################################
+## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
+## writable by the effective UID which Maltfilter runs as, it will be
+## populated by *.data and *.hosts files. If succesfully retrieved, .data
+## files will have contents of the attempted XSS URI. *.hosts files
+## list which hosts have attempted to exploit this specific URI.
+
+#EVIDENCE            = 0
+#EVIDENCE_DIR        = "/var/run/malt-evidence"