Hi Gil, When I wrote this patch for OSSEC a long time ago (it was later integrated into the main branch), my goal was not to create "geolocalized" alerts. IMHO, to add this feature, it requires a lot of patching because you need to define a new keyword to be used in alerts like "srcip", "user", "data", etc... But indeed, it could be a nice feature! Feel free to contribute to the source code! :-)
/x On Tue, May 26, 2015 at 11:53 PM, Gil Vidals <[email protected]> wrote: > Since OSSEC has support for incorporating geoip, is there a way to include > rules that are based on country code? I couldn't find any instructions in > the manual for doing so. There are some custom rules I wrote that would be > enhanced and triggered only for certain countries. > > I understand that the geoip library has to be enabled; however, I couldn't > find whether rules can be written based on country or city codes that geoip > would return. > > <ossec_config> > <global> > <!-- to specify GeoIP database file location --> > <geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path> > <geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path> > </global> > > <alerts> > <!-- to add GeoIP info in alerts --> > <use_geoip>yes</use_geoip> > </alerts> > </ossec_config> > > > Gil Vidals > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
