Hi Gil!
Found your post (question) as I was researching options to create rules with geoip-attributes. I would also be very interested in doing what you suggest below e.g. <srccountry>!US</srccountry> . When I learned this wasn't possible, I tried to make use of the active_respone feature and a simple sh-script and try my luck that way. Disclaimer. I'm not even close to being as knowledgeable as the other guys (@xme, @ddpbsd, @JesusLinares and other) you have involved in this thread. Which is obvious from my more current posts, outlining my quest to create even the simplest of decoders. Having said that, I was able to pass IP-address from the matching rule to my script, make a geolookup and act on the output based on country (similar to !US in your example). If this is of interest you you or anyone else and not to trivial, I'd be happy to elaborate further. Best regards, Fredrik On Wednesday, May 27, 2015 at 5:42:17 PM UTC+2, Gil Vidals wrote: > > What language is the source code? C? > > If we decide to contribute to the source code, it would be to add new > tags: srccountry, srccity and dstcountry, dstcity. > > *srccountry:* > Any country decoded as srccountry. > Use ”!” to negate it. > > *example: (any country outside the US)* > <srccountry>!US</srccountry> > > > On Wednesday, May 27, 2015 at 5:19:38 AM UTC-7, Xme wrote: >> >> Hi Gil, >> When I wrote this patch for OSSEC a long time ago (it was later >> integrated into the main branch), my goal was not to create "geolocalized" >> alerts. IMHO, to add this feature, it requires a lot of patching because >> you need to define a new keyword to be used in alerts like "srcip", "user", >> "data", etc... >> But indeed, it could be a nice feature! Feel free to contribute to the >> source code! :-) >> >> /x >> >> On Tue, May 26, 2015 at 11:53 PM, Gil Vidals <[email protected]> wrote: >> >>> Since OSSEC has support for incorporating geoip, is there a way to >>> include rules that are based on country code? I couldn't find any >>> instructions in the manual for doing so. There are some custom rules I >>> wrote that would be enhanced and triggered only for certain countries. >>> >>> I understand that the geoip library has to be enabled; however, I >>> couldn't find whether rules can be written based on country or city codes >>> that geoip would return. >>> >>> <ossec_config> >>> <global> >>> <!-- to specify GeoIP database file location --> >>> <geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path> >>> <geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path> >>> </global> >>> >>> <alerts> >>> <!-- to add GeoIP info in alerts --> >>> <use_geoip>yes</use_geoip> >>> </alerts> >>> </ossec_config> >>> >>> >>> Gil Vidals >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
