On Mon, Aug 11, 2014 at 10:00 AM, Steve Murphy <m...@parsetree.com> wrote:

> In answer to my own question, I include a patch to psad that
> will allow the user to define a call to an external script,
> that will get executed only when the iptables block is entered.
>
> It introduces two new config variables:
>
> ENABLE_EXT_BLOCK_SCRIPT_EXEC   (default: N)
> EXTERNAL_BLOCK_SCRIPT    (default: /bin/true)
>
> Very basic stuff.
>
> Enjoy!
>
>
Hello Steve,

Many thanks for sending the patch.  I'll merge this and send out a new -pre
release in two days or so.

--Mike


> murf
>
>
>
> On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com> wrote:
>
>>
>> I'm writing a network app to mimic the OSSEC
>> active response feature across multiple hosts,
>> but without the OSSEC machinery behind it, and
>> without the per-agent registration.
>>
>> At any rate, it would be nice if I could execute
>> an external script from psad, when a block is
>>  inserted in iptables. And it would be nice if the
>> script were run ONLY when a block was added.
>>
>> I see the config directives:
>>
>> ENABLE_EXT_SCRIPT_EXEC
>> EXTERNAL_SCRIPT
>> EXEC_EXT_SCRIPT_PER_ALERT
>>
>> and I see that EXTERNAL_SCRIPT replaces SRCIP in the
>> command string. Too bad DANGERLEVEL isn't also substituted.
>> There might even be a few more that might be nice to have...
>>
>> I also see that I get psad-status emails when an IP is banned;
>> psad-alert messages can come out several times before being banned...
>>
>> What would you advise me to do, to get the effect I seek from psad? One
>> execution of the external script only when an IP is entered into iptables...
>>
>> murf
>>
>> --
>>
>> Steve Murphy
>> ParseTree Corporation
>> 57 Lane 17
>> Cody, WY 82414
>> ✉  murf at parsetree dot com
>> ☎ 307-899-5535
>>
>>
>>
>
>
> --
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ✉  murf at parsetree dot com
> ☎ 307-899-5535
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to