From 8e5f1da414a06ae6a577e5e16e501e260269aca1 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Thu, 8 Jan 2015 23:51:24 +0000
Subject: [PATCH] add OpenWRT documentation

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 3ba59e1..9f2dce7 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,21 @@ Example OSSEC configuration:
       <rules_id>5720</rules_id> <!-- Rule: 5720 fired (level 10) -> Multiple SSHD authentication failures. -->
     </active-response>
 
+Another script `router-drop.sh` will perform the same action on a remote router over SSH. This is useful in case of embedded routers where OSSEC agent installation is unfeasibile. OpenWRT logs (over syslog) to a more powerful Linux box with OSSEC installed. On alerts the active response script installed that blocks uoffending IP addresses on the router:
+
+```
+  +---------+ ----- syslog -------> +-------+
+--| OpenWRT |                       | Linux |
+  |         |                       | OSSEC |
+  +---------+ <- active response -- +-------+
+
+```
+
+The `router-drop.sh` script requires two configuration steps:
+
+* configure the `ROUTER` variable to a SSH string for root login to the router (e.g. *root@gw.example.com*)
+* install SSH keys to actually log in; the keys need to be installed on root account as this is where active response script are running
+
 ## Samples
 
 Number of blacklisted IP addresses: