On Mon, Aug 11, 2014 at 10:00 AM, Steve Murphy <m...@parsetree.com> wrote:
> In answer to my own question, I include a patch to psad that > will allow the user to define a call to an external script, > that will get executed only when the iptables block is entered. > > It introduces two new config variables: > > ENABLE_EXT_BLOCK_SCRIPT_EXEC (default: N) > EXTERNAL_BLOCK_SCRIPT (default: /bin/true) > > Very basic stuff. > > Enjoy! > > Hello Steve, Many thanks for sending the patch. I'll merge this and send out a new -pre release in two days or so. --Mike > murf > > > > On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com> wrote: > >> >> I'm writing a network app to mimic the OSSEC >> active response feature across multiple hosts, >> but without the OSSEC machinery behind it, and >> without the per-agent registration. >> >> At any rate, it would be nice if I could execute >> an external script from psad, when a block is >> inserted in iptables. And it would be nice if the >> script were run ONLY when a block was added. >> >> I see the config directives: >> >> ENABLE_EXT_SCRIPT_EXEC >> EXTERNAL_SCRIPT >> EXEC_EXT_SCRIPT_PER_ALERT >> >> and I see that EXTERNAL_SCRIPT replaces SRCIP in the >> command string. Too bad DANGERLEVEL isn't also substituted. >> There might even be a few more that might be nice to have... >> >> I also see that I get psad-status emails when an IP is banned; >> psad-alert messages can come out several times before being banned... >> >> What would you advise me to do, to get the effect I seek from psad? One >> execution of the external script only when an IP is entered into iptables... >> >> murf >> >> -- >> >> Steve Murphy >> ParseTree Corporation >> 57 Lane 17 >> Cody, WY 82414 >> ✉ murf at parsetree dot com >> ☎ 307-899-5535 >> >> >> > > > -- > > Steve Murphy > ParseTree Corporation > 57 Lane 17 > Cody, WY 82414 > ✉ murf at parsetree dot com > ☎ 307-899-5535 > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > > -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
_______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
