Yes, it'll give you the diff. The cron is why I said this is a stupid solution. ;)
You could potentially setup a full_command to do the: "iptables -nL > /var/iptables_check/current 2>&1" The output from that command should never change (it should always be blank), so I'm hoping it wouldn't trigger any alerts. On Sat, Apr 23, 2011 at 7:23 PM, Satish Patel <[email protected]> wrote: > Hey Dan, > > You mean to say this way it will only give diff out put in alert right? > > But you know this way I have to maintain external crontab. > > -- > Sent from my iPhone > > On Apr 23, 2011, at 1:56 PM, "dan (ddp)" <[email protected]> wrote: > >> Stupid solution: >> Periodically "iptables -nL > /var/iptables_check/current" >> And syscheck that directory with something like: >> <directories realtime="yes" report_changes="yes" >> check_all="yes">/var/iptables_check</directories> >> >> On Fri, Apr 22, 2011 at 5:01 PM, dan (ddp) <[email protected]> wrote: >>> >>> I know what you're saying, and I thought the check_diff option did >>> that. My mistake. >>> If not, I don't think there's a way to do it. >>> >>> On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]> >>> wrote: >>>> >>>> Thanks Dan, >>>> >>>> I have that option, And its working but problem is its dumping full >>>> iptables -L -n output on my email alerts. I want only diff output of >>>> particular changes in iptables. Do you know what i am saying ? >>>> >>>> <!-- Monitoring firewall rules --> >>>> <rule id="100004" level="10"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'iptables -S</match> >>>> <check_diff /> >>>> <description>Change made to iptables</description> >>>> </rule> >>>> >>>> >>>> >>>> >>>> On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote: >>>>> >>>>> It should be possible. Try adding <check_diff /> to the rule. >>>>> >>>>> More info: >>>>> >>>>> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >>>>> >>>>> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> >>>>> wrote: >>>>>> >>>>>> Thanks dan, >>>>>> >>>>>> Is it possible i get diff output of my iptables command? Currently its >>>>>> dumping full output. it would be good if we have only diff output. >>>>>> >>>>>> -S >>>>>> >>>>>> >>>>>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote: >>>>>>> >>>>>>> There is no setting to do what you want. You'll have to dig into the >>>>>>> source. >>>>>>> >>>>>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Hey Guys! >>>>>>>> >>>>>>>> I am monitoring iptable output and doing check_diff to compare and >>>>>>>> alert but somehow i am getting half output of "iptables -L -n" I >>>>>>>> knew >>>>>>>> there is a limit of email alert output. >>>>>>>> >>>>>>>> can we increase limit ? >>>>>>>> >>>>>>>> -S >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >
