Hi Scott,
On the configuration side, you can set the active response to always
run on the server, where
you would call the pix command:
<command>
<name>pix-block</name>
<executable>pix-block.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>pix-block</command>
<location>server</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Now, the pix-block.sh command can be very simple and call your
"pix.pl" based on the argument. Example:
"
ACTION=$1
USER=$2
IP=$3
# Adding the ip to null route
if [ "x${ACTION}" = "xadd" ]; then
./pix-block.pl --block ${IP}
exit 0;
fi
if [ "x${ACTION}" = "xdelete" ]; then
./pix-unblock.pl --block ${IP}
exit 0;
fi
"
Hope it helps. If you get this working, please share your scripts with us :)
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Sep 26, 2008 at 3:58 PM, <[EMAIL PROTECTED]> wrote:
>
> I have my pix logging to one of my linux boxes, and Ossec is doing a
> good job of parsing the logs. I am curious to know if anyone has
> configured active response to control "shun" on the pix? It seems like
> it would be an easy setup, but i am curious to know how I can have
> ossec send shuns to the pix, even though it sees the activity as
> coming from a local log on one of the unix boxes...
>
> As for the shun, i believe I have (found) a perl program that will
> execute the command on the pix using a format like this:
>
> ./pix.pl --block 1.2.3.4
> ./pix.pl --unblock 1.2.3.4
>
> How does ossec communicate with the existing active response commands?
> I have yet to stumble across any thing that documents the calling of
> the commands, short of whats in the active-response directory:
>
> ./firewall-drop.sh: <action> <username> <ip>
>
> which does not exactly match the contents of the file...
>
> #!/bin/sh
> # Adds an IP to the iptables drop list (if linux)
> # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
> # Adds an IP to the ipsec drop list (if aix)
> # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with
> ipfilter or AIX with IPSec
> # Expect: srcip
> <----------------------------------------------------------------------------
> Look!
> # Author: Ahmet Ozturk (ipfilter and IPSec)
> # Author: Daniel B. Cid (iptables)
> # Last modified: Feb 14, 2006
>
> If I can determine the standard format the OSSEC uses, it should be
> easy to craft some rules to send shuns to the pix...
>
> Anyone been there, done that?
>
> Thanks!
>
> Scott Shekels
>
>
