On Friday, March 8, 2013 9:39:56 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Mar 8, 2013 at 7:07 AM, Jean-Pierre Zurbrugg > <[email protected] <javascript:>> wrote: >
> > The test action was just to confirm OSSEC somehow only works with "DROP" > and > > nothing else. In our prod environment we use iptables with the following > log > > suffixes: > > > > "[UFW: CatchAll]: " > > "[UFW: ILEGAL PKT]: " > > "[UFW: ChainFilter]: " > > "[UFW: SCAN]: " > > > > Do you have a link to the documentation dealing with these actions? I > can't quite wrap my head around what they mean. > I'm probably just being old. Back in my day firewalls pretty much only > passed or rejected packets. :P > don't have any documentation, these are just tags I created to distinguish firewall events from the default DROP,REJECT,PASS actions. I posted a few decoders on my local_decoder so that I can handle each type of event and make a decision on whether or not I should send a notification to my mobile ( high lvl alert). >From iptables' manual page: *--log-prefix **prefix* Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs. > > > > > I'll check src/analysis/alerts/log.c but I have zip experience with that > > language. Its taken me a month to get ossec2snorby.pl working and its > made > > up of simplistic changes :( but it doesnt hurt to try. > > > > TEST might be more difficult since T is already used, and U seems to > be used a lot (every action you posted above starts with U). > > I'm not following, lets forget all about TEST or UFW as actions. Do firewall event actions need to be specifically tied to "DROP" or stated in /src/analysis/alerts/log.c ? What I'm hopping can be accomplished is the ability to match a firewall type rule against a log entry and have it fire'n log to alerts.log based on an action I can state with local_rules.xml and control with local_decoders.xml. > > Thanks for the info thus far Dan. > > > > -- > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
