[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] /srv/bzr/administration r258: Merge close attack notifica
From: |
Sylvain Beucler |
Subject: |
[Savannah-cvs] /srv/bzr/administration r258: Merge close attack notifications |
Date: |
Sun, 13 Feb 2011 15:18:17 -0000 |
User-agent: |
Bazaar (2.0.3) |
------------------------------------------------------------
revno: 258
committer: Sylvain Beucler <address@hidden>
branch nick: infra
timestamp: Sat 2011-01-15 00:22:23 +0100
message:
Merge close attack notifications
modified:
maintenance/sql_injection_monitor
=== modified file 'maintenance/sql_injection_monitor'
--- a/maintenance/sql_injection_monitor 2010-12-19 20:27:12 +0000
+++ b/maintenance/sql_injection_monitor 2011-01-14 23:22:23 +0000
@@ -2,6 +2,7 @@
#
# SQL Injection Log Monitor
# Copyright (C) 2010 - Michael J. Flickinger
+# Copyright (C) 2011 - Sylvain Beucler
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -29,6 +30,8 @@
use File::Tail;
use URI::Escape;
+my $message_body = undef;
+my $last_time = time();
# this should run as a forked process, so check if this is already running
@@ -47,7 +50,8 @@
}
# this is a little evil
- $0 = 'sql_injection_monitor [running]';
+ # commenting out because it makes 'killall' uneasy
+ #$0 = 'sql_injection_monitor [running]';
my $log_file = $config->{log_file};
@@ -63,8 +67,7 @@
my $ft = File::Tail->new(
name => $file,
- maxinterval => 1,
- adjustafter => 1,
+ maxinterval => 30,
);
while (defined(my $line = $ft->read)) {
&validate($line);
@@ -89,18 +92,20 @@
)
)
{
- my $remote_addr = (split(/ /, $line))[0];
- my $message_body = qq[
-Possible SQL injection attack with the following apache access_log entry:
-
-$line
-];
- &mail({
- body => $message_body,
+ $message_body .= $line;
+ $last_time = time();
+ }
+ # Group e-mails instead of sending out one mail per attacker request
+ if ((time() - $last_time) > 60 and defined($message_body))
+ {
+ &mail({
+ body => "Possible SQL injection attack with the following apache
access_log entry:\n\n"
+ . $message_body,
from => $config->{email_from},
to => join(', ', @{$config->{emails}}),
- subject => join(' - ', $config->{subject}, $remote_addr),
- });
+ subject => $config->{subject},
+ });
+ undef($message_body);
}
}
@@ -120,6 +125,6 @@
&main();
-
-
-
+# Local Variables:
+# compile-command: "perl -cw sql_injection_monitor"
+# End:
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] /srv/bzr/administration r258: Merge close attack notifications,
Sylvain Beucler <=