Closed SirTerrific closed 4 years ago
You could try this, maybe...
code from reddit (u/BlackSweeper):
system( "$iptables -A ${chain}_BLOCK -j LOG -m limit --limit 10/minute --limit-burst 5 --log-level 4 --log-prefix 'DROP_$chain' " )
system( "$iptables -A ${chain}_BLOCK -j LOG -m limit --limit 10/minute --limit-burst 5 --log-level 4 --log-prefix 'DROP_$chain '" )
without extra shell process (all arguments are proper escaped):
system( $iptables, '-A', "${chain}_BLOCK", qw{-j LOG -m limit --limit 10/minute --limit-burst 5 --log-level 4 --log-prefix}, "DROP_$chain " )
// qw = quote word
I have some difficulties to extract the field with my SIEM. Usually we have : Jun 14 03:34:31 10.0.0.1 kernel: DNAT IN=red0 OUT= MAC=00:0d:b9:49:d7:36:00:17:10:97:d9:1e:08:00 SRC=119.18.2.145 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=20830 DF PROTO=TCP SPT=29485 DPT=51413 WINDOW=65535 RES=0x00 SYN URGP=0
The action is DNAT and IN the direction
but with the blocklist log we have : Jun 14 03:34:27 10.0.0.1 kernel: DROP_ALIENVAULTIN=red0 OUT= MAC=00:0d:b9:49:d7:36:00:17:10:97:d9:1e:08:00 SRC=94.102.56.235 DST= LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=15328 PROTO=TCP SPT=46312 DPT=11015 WINDOW=1024 RES=0x00 SYN URGP=0
The action is merge with the "direction"
How can I correct that ?
Thanks.