I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.

At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.

I see the config directives:


and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...

I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...

What would you advise me to do, to get the effect I seek from psad? One
execution of the external script only when an IP is entered into iptables...



Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
psad-discuss mailing list

Reply via email to