Hello,
It seems that ossec support PF rules but when there is multiple drops,
i would like to have an email.
There is this in the decoder.xml
<decoder name="pf">
<type>firewall</type>
<program_name>^pf$</program_name>
<plugin_decoder>PF_Decoder</plugin_decoder>
</decoder>
And when i past a pf log inside ossec-logtest
It's matching rules
**Phase 2: Completed decoding.
decoder: 'pf'
**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'
and this in firewall.rules
<rule id="4101" level="5">
<if_sid>4100</if_sid>
<!--<action>DROP</action> -->
<!--<action>block</action>-->
<match>block</match>
<!--
<options>no_log</options>--
>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
<rule id="4151" level="10" frequency="16" timeframe="45"
ignore="240">
<if_matched_sid>4101</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall drop events from same
source.</description>
<group>multiple_drops,</group>
</rule>
I've tried to write a rule in local_rules.xml but with no success.
Have you got a solution to send mail when a scan is done?
Regards
Thomas BRETON
