Hi Gil!
Found your post (question) as I was researching options to create rules
with geoip-attributes. I would also be very interested in doing what you
suggest below e.g. !US . When I learned this
wasn't possible, I tried to make use of the active_respone feature and a
simple sh-script and t
Nice! I'll test this patch!
/x
On Wed, May 27, 2015 at 6:37 PM, dan (ddp) wrote:
> On Wed, May 27, 2015 at 12:29 PM, Michael Starks
> wrote:
> > On 05/27/2015 07:19 AM, Xavier Mertens wrote:
> >> Hi Gil,
> >> When I wrote this patch for OSSEC a long time ago (it was later
> >> integrated into
On Wed, May 27, 2015 at 12:29 PM, Michael Starks
wrote:
> On 05/27/2015 07:19 AM, Xavier Mertens wrote:
>> Hi Gil,
>> When I wrote this patch for OSSEC a long time ago (it was later
>> integrated into the main branch), my goal was not to create
>> "geolocalized" alerts. IMHO, to add this feature,
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
> Hi Gil,
> When I wrote this patch for OSSEC a long time ago (it was later
> integrated into the main branch), my goal was not to create
> "geolocalized" alerts. IMHO, to add this feature, it requires a lot of
> patching because you need to define a ne
What language is the source code? C?
If we decide to contribute to the source code, it would be to add new tags:
srccountry, srccity and dstcountry, dstcity.
*srccountry:*
Any country decoded as srccountry.
Use ”!” to negate it.
*example: (any country outside the US)*
!US
On Wednesday, May 27
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later integrated
into the main branch), my goal was not to create "geolocalized" alerts.
IMHO, to add this feature, it requires a lot of patching because you need
to define a new keyword to be used in alerts like "srcip", "user", "da
Since OSSEC has support for incorporating geoip, is there a way to include
rules that are based on country code? I couldn't find any instructions in
the manual for doing so. There are some custom rules I wrote that would be
enhanced and triggered only for certain countries.
I understand that th