Log and Drop with OSSEC

Log and Drop with OSSEC

[David ROBERT]

Hi All,

I have a very basic question. I am updating an active response script
for OSSEC that add DROP rules. I added rules to log packets being
dropped:
Ex for IP 1.1.1.1

iptables -I INPUT -s 1.1.1.1 -m limit --limit 1/sec -j LOG
--log-prefix OSSEC-HIDS --log-level 7 (rule added)
iptables -I INPUT -s 1.1.1.1 -j DROP (original rule)

It doesn't log, it actually logs if I only run the first rule, as soon
as I run the DROP rule, it DROP packets indeed, but it won't log
anymore.

Thanks

David ROBERT
http://blog.ombrepixel.com/

Re: Log and Drop with OSSEC

[David ROBERT]

Hi All,

This was too obvious so I couldn't find it... I did a "-I" for the
DROP rule, so obviously it was matched before the LOG rule... tsss..

David

2010/5/7 David ROBERT <castlebbs@gmail.com>:
> Hi All,
>
> I have a very basic question. I am updating an active response script
> for OSSEC that add DROP rules. I added rules to log packets being
> dropped:
> Ex for IP 1.1.1.1
>
> iptables -I INPUT -s 1.1.1.1 -m limit --limit 1/sec -j LOG
> --log-prefix OSSEC-HIDS --log-level 7 (rule added)
> iptables -I INPUT -s 1.1.1.1 -j DROP (original rule)
>
> It doesn't log, it actually logs if I only run the first rule, as soon
> as I run the DROP rule, it DROP packets indeed, but it won't log
> anymore.


-- 
David ROBERT