Whitelisting vulnerability scanners for specific rules

[Stephen S]

I've been following the instructions from the below link to setup a whitelist for our vulnerability scanners.  

https://geekcabi.net/article/ossec-whitelisting/

So far, I have the following config in /var/ossec/lists/approved_scanner_list

ipaddress1:scanner1

ipaddress2:scanner2

In /var/ossec/etc/ossec.conf I reference that by:

<list>/var/ossec/lists/approved_scanners_list</list>

Note here that I am not trying to block active responses, I want to disable any alerting emails that these scanners generate. Is that enough to block out all alerts from the scanners?

I am also looking to take this one step further and only block specific rules that a scanner may trigger if I so choose. 

In the link documentation it calls for the line:

<list field="srcip" lookup="address_match_key">lists/approved_scanners_list</list>

However, since I have multiple scanner IP's, can I list them in the "srcip" section as comma de-limited? 

Such as "field="ipaddress1, ipaddress2"

Also, I have no clue what "address_match_key" should translate too. How should I populate that field?

Can anyone help me get this going?

[Brent]

I haven't used address_match_key in a CDB, but this doc explains it pretty well.  It's the type of lookup performed...

https://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html

Also - I'd consider adding your scanner IPs to the whitelist in ossec.conf, even if you're not using active response.

I'm also not sure if this is enough to block out all the alerts, it really depends on what type of hosts you're protecting.  And if you have "things" setup correctly (e.g. IIS logging).  I would run a scan against a set of hosts and identify what type of alerts you're receiving.  Then go down that road to quiet the alerting.  I usually use <match></match> addresses in local_rules.xml for this type of work, but I'm sure a CDB list would work just as well.  

HTH!!!

• • Value: address_match_key

    • Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.

  • Value: not_address_match_key

    • Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.

  • Value: address_match_key_value

    • Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.

    Note

    This feature is not yet complete.

• check_value

  • regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

Allowed:

Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

<rule id="100000" level="7">
  <list lookup="match_key" field="srcip">path/to/list/file</list>
  <description>Checking srcip against cdb list file</description>
</rule>