Re: question IDS? réponse: OSSEC HIDS

To: debian-user-french@lists.debian.org
Subject: Re: question IDS? réponse: OSSEC HIDS
From: Laurent Besson <lolo@system-linux.net>
Date: Tue, 23 Jan 2007 16:53:15 +0100
Message-id: <[🔎] 200701231653.16466.lolo@system-linux.net>
In-reply-to: <[🔎] 45B220B5.9060802@gmail.com>
References: <[🔎] 409557.17970.qm@web27010.mail.ukl.yahoo.com> <200701201224.38185.lolo@system-linux.net> <[🔎] 45B220B5.9060802@gmail.com>

Re,

Dans /var/ossec/etc/ossec.conf j'ai ajouté :
  <command>
    <name>apache-drop</name>
    <executable>apache-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 18000 seconds on the firewall (iptables,
       - ipfilter, etc). When Something wrong with apache.
      -->
    <command>apache-drop</command>
    <location>local</location>
    <level>5</level>
    <timeout>18000</timeout>    
  </active-response>  

Pour le script apache-drop.sh (pour l'instant) :
ln 
-s /var/ossec/active-response/bin/firewall-drop.sh /var/ossec/active-response/bin/apache-drop.sh

Je suis entrain de réfléchir comment mettre en place une redirection, sur une 
page pour informer la personne (si elle existe) que son PC lance des requêtes 
incongrues sur le site et que cela se traduira par un blocage et (alerte à 
son FAI )

Voilà, voilà

Reply to:

Follow-Ups:
- Re: question IDS? réponse: OSSEC HIDS
  - From: Laurent Besson <lolo@system-linux.net>

References:
- RE : question IDS (detection d'intrusion) et autre logcheck?
  - From: Pitshou Asingalembi <depitsho@yahoo.fr>
- Re: question IDS? reponse: OSSEC HIDS
  - From: "xtz.info@gmail.com" <dead.but.dreamer@gmail.com>

Prev by Date: Re: occupation du disque bizarre
Next by Date: Re: question IDS? réponse: OSSEC HIDS
Previous by thread: Re: question IDS? reponse: OSSEC HIDS
Next by thread: Re: question IDS? réponse: OSSEC HIDS
Index(es):
- Date
- Thread