[psad-discuss] external script

Discussion:

Steve Murphy

2014-07-31 06:18:10 UTC

I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.

At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.

I see the config directives:

ENABLE_EXT_SCRIPT_EXEC
EXTERNAL_SCRIPT
EXEC_EXT_SCRIPT_PER_ALERT

and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...

I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...

What would you advise me to do, to get the effect I seek from psad? One
execution of the external script only when an IP is entered into iptables...

murf

--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

Steve Murphy

2014-08-11 14:00:29 UTC

Permalink

In answer to my own question, I include a patch to psad that
will allow the user to define a call to an external script,
that will get executed only when the iptables block is entered.

It introduces two new config variables:

ENABLE_EXT_BLOCK_SCRIPT_EXEC (default: N)
EXTERNAL_BLOCK_SCRIPT (default: /bin/true)

Very basic stuff.

Enjoy!

murf

Post by Steve Murphy
I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.
At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.
ENABLE_EXT_SCRIPT_EXEC
EXTERNAL_SCRIPT
EXEC_EXT_SCRIPT_PER_ALERT
and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...
I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...
What would you advise me to do, to get the effect I seek from psad? One
execution of the external script only when an IP is entered into iptables...
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

Michael Rash

2014-08-12 03:35:29 UTC

Permalink

Post by Steve Murphy
In answer to my own question, I include a patch to psad that
will allow the user to define a call to an external script,
that will get executed only when the iptables block is entered.
ENABLE_EXT_BLOCK_SCRIPT_EXEC (default: N)
EXTERNAL_BLOCK_SCRIPT (default: /bin/true)
Very basic stuff.
Enjoy!

Hello Steve,

Many thanks for sending the patch. I'll merge this and send out a new -pre
release in two days or so.

--Mike

Post by Steve Murphy
murf

--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535
------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/psad-discuss

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

Michael Rash

2014-08-21 03:11:56 UTC

Permalink

Post by Michael Rash

Hello Steve,
Many thanks for sending the patch. I'll merge this and send out a new
-pre release in two days or so.

Steve,

Apologies for the delay. I've merged a slightly modified version of your
patch and added you to the 'CREDITS' file. Here is psad-2.2.4-pre1 if you
want to test it out:

https://www.cipherdyne.org/psad/download/psad-2.2.4-pre1.tar.gz

sha256: d734553fa80dfa92125fdd43781d997a84c1dc059ce2e032eafae3e4b0e93afe

Thanks,

--Mike

Post by Michael Rash
--Mike

Post by Steve Murphy
murf

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

Steve Murphy

2014-08-21 14:38:17 UTC

Permalink

Mike--

I see the alteration, and thoroughly approve. I would have merged the two
invocations myself,
but came to indecision as to exactly how to implement that... push the
PER_ALERT stuff up a level,
or make special code inside the external script call... I left that to you,
and you did
great.

murf

Post by Michael Rash

Hello Steve,
Many thanks for sending the patch. I'll merge this and send out a new
-pre release in two days or so.

Steve,
Apologies for the delay. I've merged a slightly modified version of your
patch and added you to the 'CREDITS' file. Here is psad-2.2.4-pre1 if you
https://www.cipherdyne.org/psad/download/psad-2.2.4-pre1.tar.gz
sha256: d734553fa80dfa92125fdd43781d997a84c1dc059ce2e032eafae3e4b0e93afe
Thanks,
--Mike

Post by Michael Rash
--Mike

Post by Steve Murphy
murf

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
psad-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/psad-discuss

--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

Michael Rash

2014-08-22 01:38:53 UTC

Permalink

Post by Steve Murphy
Mike--
I see the alteration, and thoroughly approve. I would have merged the two
invocations myself,
but came to indecision as to exactly how to implement that... push the
PER_ALERT stuff up a level,
or make special code inside the external script call... I left that to
you, and you did
great.

Thanks for mentioning the per-alert tracking stuff - I've committed another
minor change to maintain better separation with that feature.

--Mike

Post by Steve Murphy
murf

Post by Michael Rash

Hello Steve,
Many thanks for sending the patch. I'll merge this and send out a new
-pre release in two days or so.

Post by Michael Rash
--Mike

Post by Steve Murphy
murf

Post by Steve Murphy
I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.
At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.
ENABLE_EXT_SCRIPT_EXEC
EXTERNAL_SCRIPT
EXEC_EXT_SCRIPT_PER_ALERT
and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...
I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...
What would you advise me to do, to get the effect I seek from psad?
One execution of the external script only when an IP is entered into
iptables...
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
â murf at parsetree dot com
â 307-899-5535

--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F