Mike--
I see the alteration, and thoroughly approve. I would have merged the two
invocations myself,
but came to indecision as to exactly how to implement that... push the
PER_ALERT stuff up a level,
or make special code inside the external script call... I left that to you,
and you did
great.
murf
On Wed, Aug 20, 2014 at 9:11 PM, Michael Rash <michael.r...@gmail.com>
wrote:
>
>
> On Mon, Aug 11, 2014 at 11:35 PM, Michael Rash <michael.r...@gmail.com>
> wrote:
>
>>
>> On Mon, Aug 11, 2014 at 10:00 AM, Steve Murphy <m...@parsetree.com>
>> wrote:
>>
>>> In answer to my own question, I include a patch to psad that
>>> will allow the user to define a call to an external script,
>>> that will get executed only when the iptables block is entered.
>>>
>>> It introduces two new config variables:
>>>
>>> ENABLE_EXT_BLOCK_SCRIPT_EXEC (default: N)
>>> EXTERNAL_BLOCK_SCRIPT (default: /bin/true)
>>>
>>> Very basic stuff.
>>>
>>> Enjoy!
>>>
>>>
>> Hello Steve,
>>
>> Many thanks for sending the patch. I'll merge this and send out a new
>> -pre release in two days or so.
>>
>>
> Steve,
>
> Apologies for the delay. I've merged a slightly modified version of your
> patch and added you to the 'CREDITS' file. Here is psad-2.2.4-pre1 if you
> want to test it out:
>
> https://www.cipherdyne.org/psad/download/psad-2.2.4-pre1.tar.gz
>
> sha256: d734553fa80dfa92125fdd43781d997a84c1dc059ce2e032eafae3e4b0e93afe
>
> Thanks,
>
> --Mike
>
>
>> --Mike
>>
>>
>>> murf
>>>
>>>
>>>
>>> On Thu, Jul 31, 2014 at 12:18 AM, Steve Murphy <m...@parsetree.com>
>>> wrote:
>>>
>>>>
>>>> I'm writing a network app to mimic the OSSEC
>>>> active response feature across multiple hosts,
>>>> but without the OSSEC machinery behind it, and
>>>> without the per-agent registration.
>>>>
>>>> At any rate, it would be nice if I could execute
>>>> an external script from psad, when a block is
>>>> inserted in iptables. And it would be nice if the
>>>> script were run ONLY when a block was added.
>>>>
>>>> I see the config directives:
>>>>
>>>> ENABLE_EXT_SCRIPT_EXEC
>>>> EXTERNAL_SCRIPT
>>>> EXEC_EXT_SCRIPT_PER_ALERT
>>>>
>>>> and I see that EXTERNAL_SCRIPT replaces SRCIP in the
>>>> command string. Too bad DANGERLEVEL isn't also substituted.
>>>> There might even be a few more that might be nice to have...
>>>>
>>>> I also see that I get psad-status emails when an IP is banned;
>>>> psad-alert messages can come out several times before being banned...
>>>>
>>>> What would you advise me to do, to get the effect I seek from psad? One
>>>> execution of the external script only when an IP is entered into
>>>> iptables...
>>>>
>>>> murf
>>>>
>>>> --
>>>>
>>>> Steve Murphy
>>>> ParseTree Corporation
>>>> 57 Lane 17
>>>> Cody, WY 82414
>>>> ✉ murf at parsetree dot com
>>>> ☎ 307-899-5535
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Steve Murphy
>>> ParseTree Corporation
>>> 57 Lane 17
>>> Cody, WY 82414
>>> ✉ murf at parsetree dot com
>>> ☎ 307-899-5535
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> psad-discuss mailing list
>>> psad-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>
>>>
>>
>>
>> --
>> Michael Rash | Founder
>> http://www.cipherdyne.org/
>> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>>
>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
