Only go back # days in the log.
Only process attack records which do not contain 'string'.
Display help information.
Do not ignore the IPs/Hostnames found specified in
~/.abck_ignored Mutually exclusive with -l option. Last one on command line
List ignored records as they are encountered. List all ignored
IPs/Hostnames at the end of the program run. Mutually exclusive with
-i option. Last one on command line is obeyed.
Only process attack records if they contain 'string'.
Dont actually process the matching records, just display them.
Display detailed version information.
Each time the record of an intrusion attempt is found which matches the command line-selected constraints, it is presented to the user for disposition. A typical prompt looks like this:
Log Record: Matching log entry found in /var/log/messages
Who Gets Message For: <nag.fleabag.horseplay.edu>? [horseplay.edu]
Pressing 'Enter' accepts the default notification destination of 'horseplay.edu'. Email is thus sent to 'firstname.lastname@example.org', 'email@example.com', and 'firstname.lastname@example.org...'. 'abck' then moves on to the next log entry.
Notice that this is the only way to actually send a notification email. The commands below allow the user to modify the notification domain, but only when the user responds with a blank line, will email actually be sent.
The user can also issue a number of commands at the prompt to do further lookups on the attacker or modify the domain to be notified.
Forget this record entirely without processing it. This means it will not show up again in subsequent runs of 'abck'.
l Move left one subdomain in the default destination.
q Quit the program. This causes an immediate exit. No history information is written to disk, even if some records have been processed and notification sent.
r Move right one subdomain in the default destination. 'abck' will prevent the user from doing this beyond the point there are less than two domains showing. (A user can enter a destination with only one level of domain manually. This is useful for testing because it allows 'localhost' to be entered as the point of notification.)
s Skip this record for now. The next time 'abck' is run, this record will be presented the user again for disposition.
w Run a 'whois' lookup on the address/name found in the original log entry. This is helpful when reverse lookups fail and may provide further information about the origin of the attack.
Any other string Replace the current default domain to notify with this string.
As 'abck' scans the system log, it looks for two keywords: 'refused' and 'unauthorized'. If it finds any of these keywords anywhere in a given log record, it presents that record to the user for disposition.
You can trivially add other 'trigger words' to the list of things 'abck' looks for as signs of intrusion. Suppose you have an intrusion detection program which writes log records like this:
Jul 27 00:27:35 eskimo inetd: Intruder saddle.horseplay.edu foiled
To get 'abck' to present records like this to the user for disposition, you only need two things. First, you need a unique trigger word that only appears in records of this type, say, 'foiled'. Then, you need to know which field within that record contains either the host name or IP address of the attacker. The first field is 0, so in this example, it would be field 7.
To get 'abck' to recognize this type of record, merely add this information to the AttackKeys data structure in the program. This is a Python dictionary, so all entries are of the form:
"keyword" : Fieldnum,
~/.abck_history - History of all records user has either processed or forgotten.
~/.abck_ignored - List of all IPs or Hostnames you want to ignore by default. Must have only one entry per line with no whitespace or comment characters. You may enter partial entries so that they match multiple attacking hosts. The rule is that partial entries for IPs should be truncated on the right and partial entries for Hostnames should be truncated on the left. For example, 192.168.3 will ignore everything from 192.168.3.0 - 192.168.3.255. Similarly, the entry: myschool.edu will ignore any host in that domain regardless of the less signficant subdomains.
You must have a reasonably current copy of python installed for 'abck' to operate. Also, the 'dig' and 'whois' programs must be on the system in a directory somewhere in $PATH.
None known as of this release, but the code is getting kind of ugly from constant hacking. Maintenance is starting to be painful.
Tim Daneliuk email@example.com