Your input is solicited. A few months ago, Tom Liston released a nice
little worm/scanner detection daemon. His web site also has some nice
cgi output of the log information from the daemon. On my site,
the sys logger runs wild with LaBrea running, but there is really not
all that much information once it is distilled. My logs pick up 40
megs a day and filtering them directly in real time also consumes
lots of resources. The package LaBrea::Tarpit provides a data
collection daemon that takes the output directly from LaBrea and
keeps it in a constantly updated but small memory cache. The perl
daemon consumes very little cpu time in doing this and provides
effectively instant access to the distilled log data in real time.
The package includes a working daemon in the examples directory and a
working html report generator in the LaBrea::Tarpit::Report/examples
directory.
Once all you nice folks help me agree on a category, I will submit
the package to CPAN. In the mean time it is available at:
http://www.bizsystems.net/downloads/
README excerpt follows:
NAME
LaBrea::Tarpit
SYNOPSIS
use LaBrea::Tarpit;
or
require LaBrea::Tarpit;
INSTALL
Untar the package
Apply the patch found in contrib/ to
the LaBrea source. This is not required
but will reduce CPU usage for versions 2.4.
perl Makefile.PL
make
make test
make install
If you use examples/daemon.pl then create
the cache fifo in an appropriate place.
i.e. mkfifo /var/run/labrea.mem
enjoy
DESCRIPTION - LaBrea::Tarpit
This modules provides tools to easily parse the log output or
STDOUT of Tom Liston's LaBrea scanner/worm disruptor. For more
information on LaBrea see: the section on /www.hackbusters.net/
in the http: manpage or contact the author of LaBrea, Tom Liston
the [EMAIL PROTECTED] entry elsewhere in this document.
The parsed output of either syslog data or STDOUT from LaBrea
using -o or -O options is readily turned into text reports or an
html output page.
Basically there are two methods of operation. You can use the
daemon mode to create an almost realtime cache that may be parsed
using the report routines, or you can use the update and report
routines to parse the syslog files on an as needed basis. If you
plan to create web page reports, the daemon model will use less
system resources in the long run and avoids running syslog with
the high volume output of LaBrea.
enjoy,
Michael
[EMAIL PROTECTED]