[ossec-list] Firewall REJECT and ICMP protocol

[DTakemori@xxxxxxxxxx]

Perhaps I'm not looking hard enough,
but from what I can tell, 
OSSEC-HIDS 1.3 only has rules in firewall_rules.xml
for matching
against action="" (one firewall_drop
and one multiple_drop)

Shouldn't there also be a pair of rules
for action=""  
Something similar to 

  <rule id="4102"
level="5">
    <if_sid>4100</if_sid>
    <action>REJECT</action>
    <options>no_log</options>
    <description>Firewall
reject event.</description>
    <group>firewall_reject,</group>
  </rule>

  <rule id="4152"
level="10" frequency="16" timeframe="45"
ignore="240">
    <if_matched_sid>4102</if_matched_sid>
    <same_source_ip />
    <description>Multiple
Firewall reject events from same source.</description>
    <group>multiple_reject,</group>
  </rule>




And along related lines, if I wanted
to define some firewall rules
for the ICMP protocol and wished to
pass the ICMP type and code
to from the decoder to the rules, can
I use srcport and dstport to
do that?  Namely, I'd like to do
something similar to this (based off
of the iptables-2 decoder

<decoder name="iptables-icmp">
   <parent>iptables</parent>
   <type>firewall</type>
   <prematch>^\S+ IN=</prematch>

   <regex>^(\S+) \.+
SRC="" DST=(\S+) \.+ </regex>
   <regex>PROTO=(ICMP)
TYPE=(\d+) CODE=(\d+)</regex>
   <order>action,srcip,dstip,protocol,srcport,dstport</order>
</decoder>


After which one could write some ICMP
firewall rules (like warning
on some of the little-used types, or
flagging IPv6 types on an IP4
network)

Or is attempting to reuse srcport and
dstport in this way potentially 
going to get things confused in other
rules?  Right now there's only
the extra_data field to use in extending
the decoder.

-dean takemori