What language is the source code? C? If we decide to contribute to the source code, it would be to add new tags: srccountry, srccity and dstcountry, dstcity.
*srccountry:* Any country decoded as srccountry. Use ”!” to negate it. *example: (any country outside the US)* <srccountry>!US</srccountry> On Wednesday, May 27, 2015 at 5:19:38 AM UTC-7, Xme wrote: > > Hi Gil, > When I wrote this patch for OSSEC a long time ago (it was later integrated > into the main branch), my goal was not to create "geolocalized" alerts. > IMHO, to add this feature, it requires a lot of patching because you need > to define a new keyword to be used in alerts like "srcip", "user", "data", > etc... > But indeed, it could be a nice feature! Feel free to contribute to the > source code! :-) > > /x > > On Tue, May 26, 2015 at 11:53 PM, Gil Vidals <[email protected] > <javascript:>> wrote: > >> Since OSSEC has support for incorporating geoip, is there a way to >> include rules that are based on country code? I couldn't find any >> instructions in the manual for doing so. There are some custom rules I >> wrote that would be enhanced and triggered only for certain countries. >> >> I understand that the geoip library has to be enabled; however, I >> couldn't find whether rules can be written based on country or city codes >> that geoip would return. >> >> <ossec_config> >> <global> >> <!-- to specify GeoIP database file location --> >> <geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path> >> <geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path> >> </global> >> >> <alerts> >> <!-- to add GeoIP info in alerts --> >> <use_geoip>yes</use_geoip> >> </alerts> >> </ossec_config> >> >> >> Gil Vidals >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
