Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/regit/dom
Deny On Monitoring
https://github.com/regit/dom
Last synced: 9 days ago
JSON representation
Deny On Monitoring
- Host: GitHub
- URL: https://github.com/regit/dom
- Owner: regit
- License: gpl-3.0
- Created: 2014-06-05T07:18:49.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2014-11-29T15:07:07.000Z (almost 10 years ago)
- Last Synced: 2023-03-12T05:16:40.641Z (over 1 year ago)
- Language: Python
- Size: 187 KB
- Stars: 13
- Watchers: 2
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.rst
- License: LICENSE
Awesome Lists containing this project
README
==================
Deny On Monitoring
==================
Introduction
============
DOM is a proof of concept implementing a solution similar to fail2ban. It parses Suricata EVE log file
searching for SSH event. If the client version is based on libssh, it adds the host to a blacklist
by using ipset.
Running DOM
===========
Go into the source directory and run: ::
./dom -f /usr/local/var/log/suricata/eve.json
Full options are available via '-h' option: ::
usage: dom [-h] [-f FILE] [-s IPSET] [-v] [-l LOG] [-m MOTIF] [-i] [-D]
Deny On Monitoring
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE JSON file to monitor
-s IPSET, --ipset IPSET
Set IPSET for blacklist
-v, --verbose Show verbose output, use multiple times increase
verbosity
-l LOG, --log LOG File to log output to (default to stdout)
-m MOTIF, --motif MOTIF
String to look for in event
-i, --invert Invert match: trigger action if not found
-D, --daemon Run as unix daemon
If you know that regular client are using a software client (like OpenSSH) then
you can use ``motif`` and ``invert`` options to trigger an action on all clients not using
this software: ::
./dom -f /usr/local/var/log/suricata/eve.json -i -m OpenSSH