|
BFD is a modular shell script for parsing application logs and checking for
authentication failures. It does this using a rules system where application
specific options are stored including regular expressions for each unique auth
format. The regular expressions are parsed against logs using the 'sed' tool
(stream editor) which allows for vastly superior performance as opposed to
perl based regular expressions or using other tools such as grep/egrep.
Although some will argue that perl based stream processing is far more flexible
than unix tools, I argue that perl is a bloated framework to depend upon and unix
tools such as sed are universal across *nix. Further, perl is only more flexible
with regular expression based stream 'editing', such as in place editing etc..,
if you are only processing a data stream (as bfd does) then sed wins hands down.
In addition to the benifits of parsing logs in a single stream, BFD also uses a
log tracking system so logs are only parsed from the point which they were last
read. This greatly assists in extending the performance of BFD even further as
we are not constantly reading the same log data. The log tracking system is
compatible with syslog/logrotate style log rotations which allows it to detect
when rotations have happened and grab log tails from both the new log file and
the rotated log file.
You can also leverage BFD to block attackers using any number of tools such as
APF, Shorewall, raw iptables, ip route or execute any custom command. There
is also a fully customizable e-mail alerting system with an e-mail template that
is well suited for every day use or you can open it up and modify it.
The attacker tracking in BFD is handled using simple flat text files that are
size-controlled to prevent space constraints over time, ideal for diskless
devices. There is also an attack pool where trending data is stored on all hosts
that have been blocked including which rule the block was triggered by.
In the execution process, there is simply a cron job that executes BFD once
every 3 minutes by default. An embedded lock file system makes sure that no
two instances ever run at the same time, preventing messy and potentially load
heavy results. The cronjob can be run more frequently for those that desire it
and doing so will not cause any performance issues (no less than once a minute).
Download the current release of BFD, distributed
under the GNU GENERAL PUBLIC
LICENSE:
-
http://www.r-fx.ca/downloads/bfd-current.tar.gz
All projects on rfxnetworks.com are free for use and distribution in accordance
with the gnu gpl; funding for the continued
development and research into this and other projects, is solely
dependent on public contributions and donations. If this is your
first time using this software we ask that you evaluate it and consider
a small donation;
for those who frequent and are continued users of this and other
projects we also ask that you make an occasional small donation
to help ensure the future of our public projects.
Documents:
- http://www.rfxnetworks.com/appdocs/README.bfd
Version History:
- http://www.rfxnetworks.com/appdocs/CHANGELOG.bfd
|
