Thanks for update! let me try cron and see how it goes. Also is it possible i can send this iptable changes notification to particular person rather then everyone. I mean rules specific alerting..
-S On Tue, Apr 26, 2011 at 4:39 PM, dan (ddp) <[email protected]> wrote: > Yes, it'll give you the diff. > The cron is why I said this is a stupid solution. ;) > > You could potentially setup a full_command to do the: > "iptables -nL > /var/iptables_check/current 2>&1" > > The output from that command should never change (it should always be > blank), so I'm hoping it wouldn't trigger any alerts. > > On Sat, Apr 23, 2011 at 7:23 PM, Satish Patel <[email protected]> wrote: >> Hey Dan, >> >> You mean to say this way it will only give diff out put in alert right? >> >> But you know this way I have to maintain external crontab. >> >> -- >> Sent from my iPhone >> >> On Apr 23, 2011, at 1:56 PM, "dan (ddp)" <[email protected]> wrote: >> >>> Stupid solution: >>> Periodically "iptables -nL > /var/iptables_check/current" >>> And syscheck that directory with something like: >>> <directories realtime="yes" report_changes="yes" >>> check_all="yes">/var/iptables_check</directories> >>> >>> On Fri, Apr 22, 2011 at 5:01 PM, dan (ddp) <[email protected]> wrote: >>>> >>>> I know what you're saying, and I thought the check_diff option did >>>> that. My mistake. >>>> If not, I don't think there's a way to do it. >>>> >>>> On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]> >>>> wrote: >>>>> >>>>> Thanks Dan, >>>>> >>>>> I have that option, And its working but problem is its dumping full >>>>> iptables -L -n output on my email alerts. I want only diff output of >>>>> particular changes in iptables. Do you know what i am saying ? >>>>> >>>>> <!-- Monitoring firewall rules --> >>>>> <rule id="100004" level="10"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'iptables -S</match> >>>>> <check_diff /> >>>>> <description>Change made to iptables</description> >>>>> </rule> >>>>> >>>>> >>>>> >>>>> >>>>> On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote: >>>>>> >>>>>> It should be possible. Try adding <check_diff /> to the rule. >>>>>> >>>>>> More info: >>>>>> >>>>>> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >>>>>> >>>>>> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> Thanks dan, >>>>>>> >>>>>>> Is it possible i get diff output of my iptables command? Currently its >>>>>>> dumping full output. it would be good if we have only diff output. >>>>>>> >>>>>>> -S >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote: >>>>>>>> >>>>>>>> There is no setting to do what you want. You'll have to dig into the >>>>>>>> source. >>>>>>>> >>>>>>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hey Guys! >>>>>>>>> >>>>>>>>> I am monitoring iptable output and doing check_diff to compare and >>>>>>>>> alert but somehow i am getting half output of "iptables -L -n" I >>>>>>>>> knew >>>>>>>>> there is a limit of email alert output. >>>>>>>>> >>>>>>>>> can we increase limit ? >>>>>>>>> >>>>>>>>> -S >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> >
