On Fri, May 23, 2014 at 2:55 PM, PAL 18 <[email protected]> wrote: > Does OSSEC work on top of Iptables? If so, ill just use iptables to block > the ranges. >
The question doesn't make sense. The active response feature can use iptables, but other than that the two do not interact. The blacklist idea would be that you download the IPs/domains and either directly block them, feed them into OSSEC and make blocks when a host tries to access them, or block them and make OSSEC aware so that it can alert you that a host tried to access one of these blacklisted IPs. I generally prefer the pro-active response myself. I block IPs on my firewall, domains on my dns server, and have OSSEC alert when one of these suspicious IPs/domains show up in the logs so I know to look at that host very carefully. > > On Friday, May 23, 2014 2:08:37 PM UTC-4, Michael Starks wrote: >> >> On 05/23/2014 12:28 PM, PAL 18 wrote: >> > Can you share the script you've made? >> >> Ideally, OSSEC would have a fancy update daemon that was responsible for >> this and rules/decoders, but it's only been talked about so far. >> >> I have a script which downloads from several sources and compiles into >> CDB lists. I haven't shared it because I don't want to put it into >> contrib and then have someone's personal site hammered with lots of >> OSSEC users. But I can send it to you privately if you like. >> >> Btw, I am not entirely convinced that it works to update a CDB list >> without restarting OSSEC. It's supposed to, but I saw some strange >> things I have yet to look into. >> >> At any rate, I maintain a doc of lists I have found here: >> >> https://docs.google.com/document/d/1sAI8-_kAP02IpLCYeRnoI4ZV6a3VnWeItR2SdbUb_Ps/edit?usp=sharing >> >> It hasn't been updated in awhile, so comment in the doc if I should add >> something. >> >> One final note: Use this info in rules wisely. Just because someone >> connects to you from, say, a Tor IP, it might not be an indicator of >> concern. You really need to look at this stuff in context. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
