I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.
At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.
I see the config directives:
ENABLE_EXT_SCRIPT_EXEC
EXTERNAL_SCRIPT
EXEC_EXT_SCRIPT_PER_ALERT
and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...
I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...
What would you advise me to do, to get the effect I seek from psad? One
execution of the external script only when an IP is entered into iptables...
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
