Your input is solicited. A few months ago, Tom Liston released a nice little worm/scanner detection daemon. His web site also has some nice cgi output of the log information from the daemon. On my site, the sys logger runs wild with LaBrea running, but there is really not all that much information once it is distilled. My logs pick up 40 megs a day and filtering them directly in real time also consumes lots of resources. The package LaBrea::Tarpit provides a data collection daemon that takes the output directly from LaBrea and keeps it in a constantly updated but small memory cache. The perl daemon consumes very little cpu time in doing this and provides effectively instant access to the distilled log data in real time.
The package includes a working daemon in the examples directory and a working html report generator in the LaBrea::Tarpit::Report/examples directory. Once all you nice folks help me agree on a category, I will submit the package to CPAN. In the mean time it is available at: http://www.bizsystems.net/downloads/ README excerpt follows: NAME LaBrea::Tarpit SYNOPSIS use LaBrea::Tarpit; or require LaBrea::Tarpit; INSTALL Untar the package Apply the patch found in contrib/ to the LaBrea source. This is not required but will reduce CPU usage for versions < 2.4. perl Makefile.PL make make test make install If you use examples/daemon.pl then create the cache fifo in an appropriate place. i.e. mkfifo /var/run/labrea.mem enjoy DESCRIPTION - LaBrea::Tarpit This modules provides tools to easily parse the log output or STDOUT of Tom Liston's LaBrea scanner/worm disruptor. For more information on LaBrea see: the section on "/www.hackbusters.net/" in the http: manpage or contact the author of LaBrea, Tom Liston the [EMAIL PROTECTED] entry elsewhere in this document. The parsed output of either syslog data or STDOUT from LaBrea using -o or -O options is readily turned into text reports or an html output page. Basically there are two methods of operation. You can use the daemon mode to create an almost realtime cache that may be parsed using the report routines, or you can use the update and report routines to parse the syslog files on an as needed basis. If you plan to create web page reports, the daemon model will use less system resources in the long run and avoids running syslog with the high volume output of LaBrea. enjoy, Michael [EMAIL PROTECTED]
