andrea.martire > aLid-1.02 > xmasProtect

Download:
aLid-1.02.tar.gz

Annotate this POD

View/Report Bugs
Source  

NAME ^

xmasProtect - Script used for intercept attempts of port scanning by Xmas scan.

SYNOPSIS ^

xmasProtect RANGE EVT_BOUND RED_BOUND FILE_IP_BLOCKED NOTIFY FILTER [FREQ_EMAIL]

DESCRIPTION ^

It is used for intercept attempts of port scanning that use the tecnic XMAS Scan. The attacker must send many package TCP with purpose of obtain informations about ports. Each package has enabled only flags FIN, URG, PSH. When is reached a particular threshold fixed in the configuration, the source ip is blocked because it's responsable of port scanning.

OPTIONS ^

RANGE

It is the value, in seconds, of the temporal window to analyze. If N is the value of range, the temporal window to analyze is [ NOW - N , NOW ].

EVT_BOUND

It's the maximun number of times that the found event can verifies inside of temporal window(RANGE). Source ip, findable on log file, is considered responsible. At the overcoming of threshold, depending on configuration, can block source ip or simply notify what is happened. If an ip is blocked, there is also a mark of the moment in which it happens with reference to universal time (UTC) in seconds.

RED_BOUND

It is the number of seconds in which an blocked ip can't communicate through machine where is installed the program. When the redemption's source is reached, blocked ip is unlocked. The overcoming is calculated in the following way:

IF ( NOW - BLOCKING_TIME > RED_BOUNG ) UNLOCK BLOCKED IP ELSE BLOCKED IP REMAINS BLOCKED

FILE_IP_BLOCKED

It is used to define a complete path to file, that contains informations about blocked ip.

NOTIFY

There are 4 kinds of notific option: MAIL, LOG, ALL, NOTHING.

MAIL

It sends a notific email to all addresses specified on file /etc/aLid/email.conf

LOG

It allows to write a line on log file of application.

ALL

Include both notify's typologies MAIL e LOG.

NOTHING

No notification.

FILTER

It specifics the policy to adopt considering ip detected. Options accepted are: DROP and NODROP.

DROP

It blocks detected ip in the firewall applying a specific rule.

NODROP

It doesn't execute a rule of drop in the firewall.

FREQ_EMAIL

It specifics the attendance of send of notifics mail in seconds. It's optional and subordinate at the presence of options MAIL or LOG.

EXAMPLES ^

xmasProtect 10 5 7 /etc/aLid/ip_blocked_xmasprotect all drop 60

It executes script using a range of 10 seconds, 5 maximun attempts in the temporal window, 7 seconds as redention's threshold. Ip_blocked_xmasprotect is the name of the file utilized, all is the notifics typology, drop is kind of filter, and 60 is mail's frequency.

FILES ^

/etc/aLid/aLid.conf

Configuration's file of the application.

REQUIREMENT ^

DateTime

DateTime - Perl Library of cpan community

SEE ALSO ^

sharedTail, aLid, aLid.conf

AUTHOR ^

Andrea Martire (andreamartire@gmail.com)

COPYRIGHT AND LICENSE ^

Copyright © 2010 Andrea Martire <andreamartire@gmail.com>. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

syntax highlighting: