In answer to my own question, I include a patch to psad that will allow the user to define a call to an external script, that will get executed only when the iptables block is entered.
It introduces two new config variables: ENABLE_EXT_BLOCK_SCRIPT_EXEC (default: N) EXTERNAL_BLOCK_SCRIPT (default: /bin/true) Very basic stuff. Enjoy! murf On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com> wrote: > > I'm writing a network app to mimic the OSSEC > active response feature across multiple hosts, > but without the OSSEC machinery behind it, and > without the per-agent registration. > > At any rate, it would be nice if I could execute > an external script from psad, when a block is > inserted in iptables. And it would be nice if the > script were run ONLY when a block was added. > > I see the config directives: > > ENABLE_EXT_SCRIPT_EXEC > EXTERNAL_SCRIPT > EXEC_EXT_SCRIPT_PER_ALERT > > and I see that EXTERNAL_SCRIPT replaces SRCIP in the > command string. Too bad DANGERLEVEL isn't also substituted. > There might even be a few more that might be nice to have... > > I also see that I get psad-status emails when an IP is banned; > psad-alert messages can come out several times before being banned... > > What would you advise me to do, to get the effect I seek from psad? One > execution of the external script only when an IP is entered into iptables... > > murf > > -- > > Steve Murphy > ParseTree Corporation > 57 Lane 17 > Cody, WY 82414 > ✉ murf at parsetree dot com > ☎ 307-899-5535 > > > -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ✉ murf at parsetree dot com ☎ 307-899-5535
patch.psad.extblock
Description: Binary data
------------------------------------------------------------------------------
_______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
