Why not build an active-response module that can feed output into
snortsam. That or if you wanted something quick and dirty use samtool
to add blocks via script, snortsam already has support for multiple
firewalls, routers, etc. No need to reinvent the wheel... Just a
thought
Regards,
Will
On 6/18/07, Daniel Cid <[EMAIL PROTECTED]> wrote:
>
> Hi Jens,
>
> Reply inline..
>
>
> On 6/14/07, Harsem, Jens <[EMAIL PROTECTED]> wrote:
> >
> > Hello all,
> >
> > thank you for the support & help that this list and the ossec.net web site
> > provides. And I am hoping to stretch this a bit further… please
> >
> >
> > I have got an Cisco ASA that is currently sending its syslogs over to my
> > OSSEC machine. This is running on a cut down version of Red Hat and running
> > very nicely. I get my e-mail alerts as I should when things happen that
> > should not.
>
> Good :)
>
>
>
>
> > # We should run on linux
> > ....
> > ....
> > if [ "X${UNAME}" = "XLinux" ]; then
> >
> > Not what you expected I am sure, it is a kluge, but it works – and I am a
> > happy man.
>
> The idea is very good, and maybe you could share your script with us? Are you
> using ssh or telnet to log to the ASA? We could clean up it a little
> bit and make
> it available for everyone (I know external active responses are something many
> people have asked before)...
>
>
>
>
> > And here is my problem – I do not want it to be hard coded, really, I would
> > like this to be picked up from the log entries. I have another ASA somewhere
> > else that I also want to have send its Syslog messages to this OSSEC Server.
> > And I want to have the same goodness on that ASA.
> >
> > Hence my question (after a half marathon) – is there any way that I can
> > extract the IP of the source of the Syslog files for the shun & un-shun of
> > the hosts for the ASA? I am hoping for a parameter that I can use in that
> > script so that I can parse it to a text file and use it as well.
>
> Yes, you can. If you look at the script, we only use up to the
> argument 5 (rule id), but
> if you use the argument $6 and $7 they will have the agent (or ip of
> the device) that
> generated the alert, so based on that you can device where to shun ...
>
>
>
>
> > If anyone has ASAs and wants to know how those text files work with the ASA
> > please let me know – I would be more than happy to help.
>
>
> Yes, please (see above) :)
>
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
