Since OSSEC has support for incorporating geoip, is there a way to include
rules that are based on country code? I couldn't find any instructions in
the manual for doing so. There are some custom rules I wrote that would be
enhanced and triggered only for certain countries.
I understand that the geoip library has to be enabled; however, I couldn't
find whether rules can be written based on country or city codes that geoip
would return.
<ossec_config>
<global>
<!-- to specify GeoIP database file location -->
<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>
<geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path>
</global>
<alerts>
<!-- to add GeoIP info in alerts -->
<use_geoip>yes</use_geoip>
</alerts>
</ossec_config>
Gil Vidals
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
