In answer to my own question, I include a patch to psad that
will allow the user to define a call to an external script,
that will get executed only when the iptables block is entered.

It introduces two new config variables:

ENABLE_EXT_BLOCK_SCRIPT_EXEC   (default: N)
EXTERNAL_BLOCK_SCRIPT    (default: /bin/true)

Very basic stuff.

Enjoy!

murf



On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com> wrote:

>
> I'm writing a network app to mimic the OSSEC
> active response feature across multiple hosts,
> but without the OSSEC machinery behind it, and
> without the per-agent registration.
>
> At any rate, it would be nice if I could execute
> an external script from psad, when a block is
>  inserted in iptables. And it would be nice if the
> script were run ONLY when a block was added.
>
> I see the config directives:
>
> ENABLE_EXT_SCRIPT_EXEC
> EXTERNAL_SCRIPT
> EXEC_EXT_SCRIPT_PER_ALERT
>
> and I see that EXTERNAL_SCRIPT replaces SRCIP in the
> command string. Too bad DANGERLEVEL isn't also substituted.
> There might even be a few more that might be nice to have...
>
> I also see that I get psad-status emails when an IP is banned;
> psad-alert messages can come out several times before being banned...
>
> What would you advise me to do, to get the effect I seek from psad? One
> execution of the external script only when an IP is entered into iptables...
>
> murf
>
> --
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ✉  murf at parsetree dot com
> ☎ 307-899-5535
>
>
>


-- 

Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535

Attachment: patch.psad.extblock
Description: Binary data

------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to