GitHub - mikey-austin/mousetrapd: Execution of arbitrary commands based on frequency of observed events from multiple sources.

mikey-austin / mousetrapd Public

Notifications You must be signed in to change notification settings
Fork 0
Star 1

Execution of arbitrary commands based on frequency of observed events from multiple sources.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
MT		MT
debian		debian
.gitignore		.gitignore
CREDITS		CREDITS
LICENSE		LICENSE
Makefile		Makefile
README		README
mousetrapd		mousetrapd
mousetrapd.8		mousetrapd.8
mousetrapd.debian-init		mousetrapd.debian-init
mousetrapd.redhat-init		mousetrapd.redhat-init
mousetrapd.redhat-spec		mousetrapd.redhat-spec
sample-mousetrapd.conf		sample-mousetrapd.conf

Repository files navigation

mousetrapd
    mousetrapd - Log monitoring and active response daemon

SYNOPSIS
      mousetrapd [options]

      Options:
        --daemon               start as a daemon
        --user=<user>          user to setuid to
        --group=<group>        group to setgid to
        --pidfile=<pidfile>    location of the pidfile
        --config=<config>      path to configuration file
        --help                 print help and exit
        --version              print version and exit

DESCRIPTION
    This program monitors multiple file sources as specified in the
    configuration file and executes arbitrary actions based on the frequency
    of observer "events".

    An event is a captured string extracted out of a line from a log file.
    For example, if the following source was configured in the mousetrapd
    configuration file:

      my_iptables_source: {
        file:    '/var/log/kern.log',
        pattern: 'audit out smtp .+ UID=(\d+)',
        index:   0,
        action:  'iptables -A OUTPUT -m owner --uid-owner %L -j DROP'
      }

    a unique match of the value of the group above (ie \d+) is considered an
    event. So to illustrate further, if the following line was observed in
    /var/log/kern.log with the configured "pattern" above:

      IPTABLES - audit out smtp IN= OUT=eth0 ... UID=12333 ...

    the "event" is considered an occurance of "12333". A limit of event
    occurances per time period is configured, along with a threshold. If a
    particular event exceeds this limit, an arbitrary command configured
    against the source is executed, with '%L' substituted for the event. In
    the example above, the following command would be executed:

      iptables -A OUTPUT -m owner --uid-owner 12333 -j DROP

SIGNALS
    The mousetrapd daemon will catch the HUP signal, reload the
    configuration that the daemon was started with, and restart all source
    watcher child processes.

AUTHOR
    Mikey Austin, <mikey@jackiemclean.net>

COPYRIGHT AND LICENSE
    Copyright (C) 2014 Mikey Austin <mikey@jackiemclean.net>

    This program is free software; you can redistribute it and/or modify it
    under the terms of the GNU General Public License as published by the
    Free Software Foundation; either version 2 of the License, or (at your
    option) any later version.

    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
    Public License for more details.

    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.