-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
70 lines (54 loc) · 2.73 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
mousetrapd
mousetrapd - Log monitoring and active response daemon
SYNOPSIS
mousetrapd [options]
Options:
--daemon start as a daemon
--user=<user> user to setuid to
--group=<group> group to setgid to
--pidfile=<pidfile> location of the pidfile
--config=<config> path to configuration file
--help print help and exit
--version print version and exit
DESCRIPTION
This program monitors multiple file sources as specified in the
configuration file and executes arbitrary actions based on the frequency
of observer "events".
An event is a captured string extracted out of a line from a log file.
For example, if the following source was configured in the mousetrapd
configuration file:
my_iptables_source: {
file: '/var/log/kern.log',
pattern: 'audit out smtp .+ UID=(\d+)',
index: 0,
action: 'iptables -A OUTPUT -m owner --uid-owner %L -j DROP'
}
a unique match of the value of the group above (ie \d+) is considered an
event. So to illustrate further, if the following line was observed in
/var/log/kern.log with the configured "pattern" above:
IPTABLES - audit out smtp IN= OUT=eth0 ... UID=12333 ...
the "event" is considered an occurance of "12333". A limit of event
occurances per time period is configured, along with a threshold. If a
particular event exceeds this limit, an arbitrary command configured
against the source is executed, with '%L' substituted for the event. In
the example above, the following command would be executed:
iptables -A OUTPUT -m owner --uid-owner 12333 -j DROP
SIGNALS
The mousetrapd daemon will catch the HUP signal, reload the
configuration that the daemon was started with, and restart all source
watcher child processes.
AUTHOR
Mikey Austin, <mikey@jackiemclean.net>
COPYRIGHT AND LICENSE
Copyright (C) 2014 Mikey Austin <mikey@jackiemclean.net>
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.