Re: [ossec-list] rule based geoip block

2016-04-21 Thread Fredrik
Hi Gil! Found your post (question) as I was researching options to create rules with geoip-attributes. I would also be very interested in doing what you suggest below e.g. !US . When I learned this wasn't possible, I tried to make use of the active_respone feature and a simple sh-script and t

Re: [ossec-list] rule based geoip block

2015-05-27 Thread Xavier Mertens
Nice! I'll test this patch! /x On Wed, May 27, 2015 at 6:37 PM, dan (ddp) wrote: > On Wed, May 27, 2015 at 12:29 PM, Michael Starks > wrote: > > On 05/27/2015 07:19 AM, Xavier Mertens wrote: > >> Hi Gil, > >> When I wrote this patch for OSSEC a long time ago (it was later > >> integrated into

Re: [ossec-list] rule based geoip block

2015-05-27 Thread dan (ddp)
On Wed, May 27, 2015 at 12:29 PM, Michael Starks wrote: > On 05/27/2015 07:19 AM, Xavier Mertens wrote: >> Hi Gil, >> When I wrote this patch for OSSEC a long time ago (it was later >> integrated into the main branch), my goal was not to create >> "geolocalized" alerts. IMHO, to add this feature,

Re: [ossec-list] rule based geoip block

2015-05-27 Thread Michael Starks
On 05/27/2015 07:19 AM, Xavier Mertens wrote: > Hi Gil, > When I wrote this patch for OSSEC a long time ago (it was later > integrated into the main branch), my goal was not to create > "geolocalized" alerts. IMHO, to add this feature, it requires a lot of > patching because you need to define a ne

Re: [ossec-list] rule based geoip block

2015-05-27 Thread Gil Vidals
What language is the source code? C? If we decide to contribute to the source code, it would be to add new tags: srccountry, srccity and dstcountry, dstcity. *srccountry:* Any country decoded as srccountry. Use ”!” to negate it. *example: (any country outside the US)* !US On Wednesday, May 27

Re: [ossec-list] rule based geoip block

2015-05-27 Thread Xavier Mertens
Hi Gil, When I wrote this patch for OSSEC a long time ago (it was later integrated into the main branch), my goal was not to create "geolocalized" alerts. IMHO, to add this feature, it requires a lot of patching because you need to define a new keyword to be used in alerts like "srcip", "user", "da

[ossec-list] rule based geoip block

2015-05-26 Thread Gil Vidals
Since OSSEC has support for incorporating geoip, is there a way to include rules that are based on country code? I couldn't find any instructions in the manual for doing so. There are some custom rules I wrote that would be enhanced and triggered only for certain countries. I understand that th