Berzerk

Typically, this event is either

• Generate another log event

  This is useful for a server to notify the firewall via syslog that evil activity occured.

• use iptables to ban this ip.

  The firewall directly manipulates iptables based on Berzerk's rules.

Berzerk gets its configuration from (/usr/local)/etc/berzerk/berzerk.bzf

	threshold = 10				# 10 points to trigger a fail
	whitelist = 10\.10\.30\..*		# Don't check internal IPs
	whitelist = 192\.168\.1\..*		# Don't check internal IPs
	
	# Define a trap that adds an ip to the banned table
	trap = [arschloch] $iptables -A arschloch -p ALL -s $ip -j DROP
	#trap = [logkill] $logger ... built-in trap 
	
	include = xmlrpc.bzf			# Include the rest of the rules

This is what the server ruleset looks like:

	[xmlrpc]				# Define a rule named xmlrpc
	weight = 5				# 5 points for matching this rule
	trap = logkill				# When the rule trips, execute this trap
	log = /var/log/web/access_log.outside	# Monitor this file
	ip = ([[:digit:]|[:punct:]]*)		# How to extract the ip from the log line. 
	filter = xmlrpc				# filter to match (look for any "xmlrpc" in the line) 
	filter = /AZenv				# another filter to match (look for "/AZenv" in the line)
	
	[phpMyAdmin]
	weight = 5
	trap = logkill
	log = /var/log/web/access_log.outside
	ip = ([[:digit:]|[:punct:]]*)
	filter = GET\ \/phpMyAdmin
	filter = phpmyadmin