3.0 Reports & other updates
Written by Scott Shinn   
Tuesday, 26 April 2011 14:05

We're getting close to the release candidate series so its time to give the hip-shot list of new things since the last abbreviated update:


1) More updates for DirectAdmin and Cpanel environments, specifically for their custom Apache implementations. This should keep settings in parity across rebuilds.

2) The reporting module is now active, we started with some basic reports and will expand these in future updates. Currently we have a breakdown by the total attacks per day, top attackers, top login failure IPs, and some long term attacker reports. These proved to be really enlightening, and opened up the possibility for some deeper long term (aka "Low and Slow") attacker responses. A screenshot is available <a href=http://www.atomicrocketturtle.com/asl3-report.png>here</a>.

3) The HIDS module has now moved over to a more apache like conf.d structure for rules & decoders. This makes it easier for you to maintain your own custom rules & decoders outside of either ASL or package updates.

4) Repeat Offender system, currently this works on a multiplier with 3 levels. Each time an attacker comes back the period they are blocked is increased by the multiplier.

5) By popular request, you can now force an update with "asl -uf".

6) The rule manager backend now supports per-agent changes, this is more of a feature for ASL Enterprise. It would allow you to set active respons, level, email, etc  on a per-agent basis.

7) False Negative reporting, highly useful if you need to let us know about a mis-categorized attack.

8) You can now access the details about a blocked event directly from the blocklist interface.

9) More cleanup to the Rule Manager and File check interfaces. You can now place notify's on a per directory or per file basis to alert to a specific user when that file changes.


And lots lots more that I cant remember right now. As always if you want to take a peek at ASL 3.0 you can upgrade with:

yum --enablerepo=asl-2.0-testing upgrade asl asl-web



0 # Roozbeh 2012-05-14 13:25
can you enabled RSS feed for your blog :cry: I like to follow your new articles when posted.
Reply | Reply with quote | Quote
0 # Mike 2012-05-14 13:35
Thanks for the question, if you go to the main blogs page you can subscribe to the RSS feed (if your browser supports this) by just selecting "Subscribe to this page". For example, in firefox just click Bookmarks and then select "Subscribe to this page".

I've asked the web dev team to look into adding an icon for the RSS and ATOM feeds as well in case you use an external app for this.

You can also manually access the RSS feed from this URL:

Reply | Reply with quote | Quote
0 # Roozbeh 2012-05-14 13:42
Thank you!
Reply | Reply with quote | Quote
0 # Mike 2012-05-14 15:15
RSS link now added to the main blog page, thanks for the idea!
Reply | Reply with quote | Quote
0 # Roozbeh 2012-05-14 15:27
Thanks Mike.
Reply | Reply with quote | Quote

Add comment

Security code