As a note the default value for "syslog_programs" was scrapped
because it was not used. Consider flipping Required=Y and putting
it back to whom it may concern.
Changed a validation message to not end with question. Although
I do not oppose to this the current rule is "dot" for end of sentence
only and the question appears to be better suited for the help text
where it can be accessed beforehand by the user.
- Add repeated_offenders field to active response settings
- Remove 'without context' from ossec.conf include loop to allow
variable access in config fragments
- Fix opnsense-fw.conf template bug: wazuh_command -> active_response
- Bump model version to 1.0.3
When multiple IPs trigger the same rule simultaneously, they were
sharing the same check_keys value (only rule ID), causing the manager
to abort all but the first execution.
Changed the key to include both rule_id and srcip to make it unique
per source IP, allowing multiple simultaneous blocks while still
preventing duplicate blocks of the same IP.
Fixes#4738
* Add ports to Events page
* fixes race condition updating the blocklist
* Native integration with DNSCrypt-proxy
Added Q-Feeds domains to the DNSBL list of DNSCrypt-Proxy. Changed since the initial way, this is more native. Q-Feeds domains txt files only created if DNSCrypt-proxy is installed and if the list (qf) is selected.
* Update Makefile
* Update pkg-descr
* Update security/q-feeds-connector/pkg-descr
Co-authored-by: Franco Fichtner <franco@lastsummer.de>
* Update security/q-feeds-connector/Makefile
Co-authored-by: Franco Fichtner <franco@lastsummer.de>
* Add threat lookup magnifier buttons to events table
- Add magnifier buttons next to source and destination IP addresses in events table
- Buttons open Threat Intelligence Portal in new tab with IP pre-filled
- Automatically triggers search when TIP page loads
- Buttons are right-aligned in their respective columns
- Works for both logged-in and logged-out users (with proper redirect handling)
* Update pkg-descr
* Refactor formatters to use template literals (backticks) for better readability
Addresses reviewer feedback to use template literals instead of string concatenation for HTML generation in JavaScript formatters.
* Update pkg-descr: consolidate all changes into version 1.3
* Use const instead of var for modern JavaScript best practices
Addresses reviewer feedback to use const/let instead of var for better block scoping and to prevent accidental reassignment.
---------
Co-authored-by: Franco Fichtner <franco@lastsummer.de>
Example rules:
block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
