I have my pix logging to one of my linux boxes, and Ossec is doing a good job of parsing the logs. I am curious to know if anyone has configured active response to control "shun" on the pix? It seems like it would be an easy setup, but i am curious to know how I can have ossec send shuns to the pix, even though it sees the activity as coming from a local log on one of the unix boxes...
As for the shun, i believe I have (found) a perl program that will execute the command on the pix using a format like this: ./pix.pl --block 1.2.3.4 ./pix.pl --unblock 1.2.3.4 How does ossec communicate with the existing active response commands? I have yet to stumble across any thing that documents the calling of the commands, short of whats in the active-response directory: ./firewall-drop.sh: <action> <username> <ip> which does not exactly match the contents of the file... #!/bin/sh # Adds an IP to the iptables drop list (if linux) # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd) # Adds an IP to the ipsec drop list (if aix) # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec # Expect: srcip <---------------------------------------------------------------------------- Look! # Author: Ahmet Ozturk (ipfilter and IPSec) # Author: Daniel B. Cid (iptables) # Last modified: Feb 14, 2006 If I can determine the standard format the OSSEC uses, it should be easy to craft some rules to send shuns to the pix... Anyone been there, done that? Thanks! Scott Shekels
