[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Ossec and active firewall rule parameters

To: "Daniel Cid" <dcid@xxxxxxxxx>, <ossec-dev@xxxxxxxxxxxxxxxx>
Subject: [ossec-dev] Re: Ossec and active firewall rule parameters
From: "George Vieira" <george@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Apr 2007 09:53:24 +1000
Content-class: urn:content-classes:message
Content-transfer-encoding: quoted-printable
Thread-index: AceHjgHhO9JI0yJfRkiUSGyfwO5V5wAAUHsw
Thread-topic: [ossec-dev] Ossec and active firewall rule parameters

Daniel,

LOL, it does do it now. I put 

echo "`date` $@" >> ${PWD}/ossec-hids-responses.log

in the firewall-drop.sh and it works now :D

Thu Apr 26 09:35:10 EST 2007 Applying Rule : -I OSSEC-TEMPBLOCK -s
85.135.238.162 -j DROP
Thu Apr 26 09:39:46 EST 2007 add - 201.42.221.183 1177544386.230729 3302
/var/log/maillog
Thu Apr 26 09:39:47 EST 2007 Applying Rule : -I OSSEC-TEMPBLOCK -s
201.42.221.183 -j DROP
Thu Apr 26 09:40:28 EST 2007 add - 204.117.159.105 1177544428.231232
3302 /var/log/maillog
Thu Apr 26 09:40:29 EST 2007 Applying Rule : -I OSSEC-TEMPBLOCK -s
204.117.159.105 -j DROP
Thu Apr 26 09:40:40 EST 2007 add - 203.22.27.6 1177544440.231731 3302
/var/log/maillog
Thu Apr 26 09:40:40 EST 2007 Applying Rule : -I OSSEC-LONGBLOCK -s
203.22.27.6 -j DROP

My OSSEC-TEMPBLOCK/LONGBLOCK is just something I've added to the script.
Multiple attacks at in a given time spam causes a longer block time,
works well enough for me. I'd now like to write something to read the
XML rules and figure out how long to block any for.. So real apache
attacks I can block 6 hours whereas a simple spam attack I may just do
it for 1 hour..etc.

Not 100% sure if I'll still do it but at least now that I can read the
rule ID I have that possibility.


Thanks again,
____________________________________________
George Vieira


-----Original Message-----
From: Daniel Cid [mailto:dcid@xxxxxxxxx] 
Sent: Thursday, 26 April 2007 9:02 AM
To: ossec-dev@xxxxxxxxxxxxxxxx
Cc: George Vieira
Subject: Re: [ossec-dev] Ossec and active firewall rule parameters

Hi George,

If you are using ossec v1.0 or greater, it will by default log the event
id
and rule id (in addition to the action and ip address).

Example:
Sat Apr  7 21:59:46 ADT 2007
/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1
1175993269.67597 100361

If you also go to the active response script and add values "$6, $7" it
will
log the agent that generated it...

echo "`date` $0 $1 $2 $3 $4 $5 $6 $7" >>
${PWD}/../logs/active-responses.log


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net



On 4/24/07, George Vieira <george@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hi all,
>
> Sorry if this is mentioned before but I had no way of searching the
> mailling list.
>
> The firewall.sh script only passes the IP and the action but I'd also
> like to also pass the rule which triggered it purely so when the
script
> writes it's log file it also appends the rule which is easier then
going
> between 2 log files trying to established why an IP appeared in the
> iptables -L list..
>
> Is this easy to get put in? Sorry, I'm not on the list.
>
> Thanks,
> ____________________________________________
> George Vieira
> Citadel Computer Systems Pty Ltd
>
>

Prev by Date: [ossec-dev] Re: Ossec and active firewall rule parameters
Previous by thread: [ossec-dev] Re: Ossec and active firewall rule parameters
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.