Dear,I wonder if there is any way in ossec, configuration of active-response activating it by blocking the source and destination in firewall-drop.sh for example:
if [ "X${UNAME}" = "XLinux" ]; then
if [ "x${ACTION}" = "xadd" ]; then
ARG1="-I INPUT -s ${IP} -j DROP"
ARG2="-I FORWARD -s ${IP} -j DROP"
else
ARG1="-D INPUT -s ${IP} -j DROP"
ARG2="-D FORWARD -s ${IP} -j DROP"
fi
add:
-I INPUT -s ${IP} -d{DSTIP}
-I FORWARD -s ${IP} -d{DSTIP}
someone already done something similar?
Regards,
Guilherme
