diff --git a/abck.1 b/abck.1 index 6ef55ce..62b1881 100644 --- a/abck.1 +++ b/abck.1 @@ -2,7 +2,7 @@ .SH NAME abck \- Process intrusion attempts found in the system log. .SH SYNOPSIS -abck [-dems] +abck [-dehilmsv] .SH DESCRIPTION \'abck\' is an interactive tool to examine intrusion attempts and decide what, if anything, to do about them. It reads through @@ -50,21 +50,56 @@ displayed, even if they've previously been processed). This information is kept in $HOME/.abck_history. +You may also specify a list of IPs or hostnames which \'abck\' is to +ignore by default. This is useful when you do not wish to process +"attacks" from friendly locations or you wish to ignore intrusion +attempts from particular hosts for some other reason. You can override +this default behavior using the -i and -l command line switches. + +For details on how to specify what you want ignored, see the "FILES" +section below. + .SH OPTIONS .TP .B -d # Only go back # days in the log. + .TP .B -e string Only process attack records which do not contain \'string\'. + +.TP +.B -h +Display help information. + +.TP +.B -i +Do not ignore the IPs/Hostnames found specified in +.B ~/.abck_ignored +Mutually exclusive with -l option. Last one on command line +is obeyed. + +.TP +.B -l +List ignored records as they are encountered. List all ignored +IPs/Hostnames at the end of the program run. Mutually exclusive with +-i option. Last one on command line is obeyed. + + .TP .B -m string Only process attack records if they contain \'string\'. + .TP .B -s Don't actually process the matching records, just display them. +.TP +.B -v +Display detailed version information. + + .SH RECORD PROCESSING Each time the record of an intrusion attempt is found which matches the command line-selected constraints, it is presented to the user @@ -166,19 +201,30 @@ .SH FILES -.B $HOME/.abck_history +.B ~/.abck_history \- History of all records user has either processed or forgotten. +.B ~/.abck_ignored +\- List of all IPs or Hostnames you want to ignore by default. Must +have only one entry per line with no whitespace or comment characters. +You may enter partial entries so that they match multiple attacking hosts. +The rule is that partial entries for IPs should be truncated on the right +and partial entries for Hostnames should be truncated on the left. For +example, 192.168.3 will ignore everything from 192.168.3.0 - 192.168.3.255. +Similarly, the entry: myschool.edu will ignore any host in that domain +regardless of the less signficant subdomains. + .SH OTHER You must have a reasonably current copy of 'python' installed for \'abck\' to operate. Also, the \'dig\' and \'whois\' programs must be on the system in a directory somewhere in $PATH. .SH BUGS AND MISFEATURES -None known as of this release. +None known as of this release, but the code is getting kind of ugly from +constant hacking. Maintenance is starting to be painful. .SH COPYRIGHT AND LICENSING -abck is Copyright(c) 2001, TundraWare Inc. +abck is Copyright(c) 2001, 2002 TundraWare Inc. For terms of use, see the abck-License.txt file in the program distribution. If you install abck on a FreeBSD system using the 'ports' mechanism, you will also find this file in /usr/local/share/doc/abck.