Peter Beckman wrote:
In a production environment, log files can get really big, making parsing, grepping and copying costly, especially every 5 minutes. There is a great benefit to on-the-fly log parsing and action with a compiled tool that uses minimal resources.
For most people, all the tools are functionally the same -- block hosts that pass a certain threshold or set of rules. But when you get into production systems with a lot of customers and a lot of attacks, the interpreted script (PHP, Python, bash/sh/tcsh) simply doesn't scale as well as a compiled, native OS byte-code long-running daemon.
I don't want to get into another language flame war, we all use what works for us during the time we need such things, and when it stops working for us, we change. There's 9 ways from Sunday to do the things we all have to do as VoIP folk, none of them are wrong, every choice has tradeoffs.
Agreed (IO calls, grep, tail, etc), things to keep in mind though: 1) it was something new for me 2) I needed the portability - for example, if (for some strange reason) I didn't have PERL on the fly, I would have had to install it. Shell scripting absolved that. I thought about writing something in C, then in ruby (last resort would have been PERL since I'm not that much of a fan). 3) My system is not yours! ... If someone else wanted something on the fly, there it is(was). Able to give someone at least a framework to go on. As for the large log files (drum roll - you will want to kick me)... I can easily parse it out from a central syslog server, whip up a script to correlate all logs, then reshoot them off to servers. The load would be taken off the PBX itself with a centralized source parsing out anomalous entries. SSHKeys + shell scripts + coffee = tons of insanity + security fun/crash testing. I may go back and re-do portions when I can however, I left the IPS alone to fiddle with those annoying brute force kiddiots for now. Kind of like a personal pet project. Think "Deception Toolkit meets + Asterisk" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E