Perhaps I'm not looking hard enough, but from what I can tell,
OSSEC-HIDS 1.3 only has rules in firewall_rules.xml for matching
against action=DROP. (one firewall_drop and one multiple_drop)
Shouldn't there also be a pair of rules for action=REJECT?
Something similar to
<rule id="4102" level="5">
<if_sid>4100</if_sid>
<action>REJECT</action>
<options>no_log</options>
<description>Firewall reject event.</description>
<group>firewall_reject,</group>
</rule>
<rule id="4152" level="10" frequency="16" timeframe="45" ignore="240">
<if_matched_sid>4102</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall reject events from same
source.</description>
<group>multiple_reject,</group>
</rule>
And along related lines, if I wanted to define some firewall rules
for the ICMP protocol and wished to pass the ICMP type and code
to from the decoder to the rules, can I use srcport and dstport to
do that? Namely, I'd like to do something similar to this (based off
of the iptables-2 decoder
<decoder name="iptables-icmp">
<parent>iptables</parent>
<type>firewall</type>
<prematch>^\S+ IN=</prematch>
<regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
<regex>PROTO=(ICMP) TYPE=(\d+) CODE=(\d+)</regex>
<order>action,srcip,dstip,protocol,srcport,dstport</order>
</decoder>
After which one could write some ICMP firewall rules (like warning
on some of the little-used types, or flagging IPv6 types on an IP4
network)
Or is attempting to reuse srcport and dstport in this way potentially
going to get things confused in other rules? Right now there's only
the extra_data field to use in extending the decoder.
-dean takemori
