On Thu, Aug 21, 2014 at 10:38 AM, Steve Murphy <m...@parsetree.com> wrote:

> Mike--
>
> I see the alteration, and thoroughly approve. I would have merged the two
> invocations myself,
> but came to indecision as to exactly how to implement that... push the
> PER_ALERT stuff up a level,
> or make special code inside the external script call... I left that to
> you, and you did
> great.
>

Thanks for mentioning the per-alert tracking stuff - I've committed another
minor change to maintain better separation with that feature.

--Mike


>
> murf
>
>
> On Wed, Aug 20, 2014 at 9:11 PM, Michael Rash <michael.r...@gmail.com>
> wrote:
>
>>
>>
>> On Mon, Aug 11, 2014 at 11:35 PM, Michael Rash <michael.r...@gmail.com>
>> wrote:
>>
>>>
>>> On Mon, Aug 11, 2014 at 10:00 AM, Steve Murphy <m...@parsetree.com>
>>> wrote:
>>>
>>>> In answer to my own question, I include a patch to psad that
>>>> will allow the user to define a call to an external script,
>>>> that will get executed only when the iptables block is entered.
>>>>
>>>> It introduces two new config variables:
>>>>
>>>> ENABLE_EXT_BLOCK_SCRIPT_EXEC   (default: N)
>>>> EXTERNAL_BLOCK_SCRIPT    (default: /bin/true)
>>>>
>>>> Very basic stuff.
>>>>
>>>> Enjoy!
>>>>
>>>>
>>> Hello Steve,
>>>
>>> Many thanks for sending the patch.  I'll merge this and send out a new
>>> -pre release in two days or so.
>>>
>>>
>> Steve,
>>
>> Apologies for the delay. I've merged a slightly modified version of your
>> patch and added you to the 'CREDITS' file. Here is psad-2.2.4-pre1 if you
>> want to test it out:
>>
>> https://www.cipherdyne.org/psad/download/psad-2.2.4-pre1.tar.gz
>>
>> sha256: d734553fa80dfa92125fdd43781d997a84c1dc059ce2e032eafae3e4b0e93afe
>>
>> Thanks,
>>
>> --Mike
>>
>>
>>>  --Mike
>>>
>>>
>>>>  murf
>>>>
>>>>
>>>>
>>>> On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com>
>>>> wrote:
>>>>
>>>>>
>>>>> I'm writing a network app to mimic the OSSEC
>>>>> active response feature across multiple hosts,
>>>>> but without the OSSEC machinery behind it, and
>>>>> without the per-agent registration.
>>>>>
>>>>> At any rate, it would be nice if I could execute
>>>>> an external script from psad, when a block is
>>>>>  inserted in iptables. And it would be nice if the
>>>>> script were run ONLY when a block was added.
>>>>>
>>>>> I see the config directives:
>>>>>
>>>>> ENABLE_EXT_SCRIPT_EXEC
>>>>> EXTERNAL_SCRIPT
>>>>> EXEC_EXT_SCRIPT_PER_ALERT
>>>>>
>>>>> and I see that EXTERNAL_SCRIPT replaces SRCIP in the
>>>>> command string. Too bad DANGERLEVEL isn't also substituted.
>>>>> There might even be a few more that might be nice to have...
>>>>>
>>>>> I also see that I get psad-status emails when an IP is banned;
>>>>> psad-alert messages can come out several times before being banned...
>>>>>
>>>>> What would you advise me to do, to get the effect I seek from psad?
>>>>> One execution of the external script only when an IP is entered into
>>>>> iptables...
>>>>>
>>>>> murf
>>>>>
>>>>> --
>>>>>
>>>>> Steve Murphy
>>>>> ParseTree Corporation
>>>>> 57 Lane 17
>>>>> Cody, WY 82414
>>>>> ✉  murf at parsetree dot com
>>>>> ☎ 307-899-5535
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Steve Murphy
>>>> ParseTree Corporation
>>>> 57 Lane 17
>>>> Cody, WY 82414
>>>> ✉  murf at parsetree dot com
>>>> ☎ 307-899-5535
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> psad-discuss mailing list
>>>> psad-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>
>>>>
>>>
>>>
>>> --
>>> Michael Rash | Founder
>>> http://www.cipherdyne.org/
>>> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>>>
>>
>>
>>
>> --
>> Michael Rash | Founder
>> http://www.cipherdyne.org/
>> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>>
>>
>> ------------------------------------------------------------------------------
>> Slashdot TV.
>> Video for Nerds.  Stuff that matters.
>> http://tv.slashdot.org/
>>
>> _______________________________________________
>> psad-discuss mailing list
>> psad-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>
>>
>
>
> --
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ✉  murf at parsetree dot com
> ☎ 307-899-5535
>
>
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to