Whitelist a trusted scanner (Nessus, Qualys)
144 views
Skip to first unread message
DG
Sep 1, 2023, 2:40:16 PM9/1/23
to Wazuh | Mailing List
Hello Team,
Is there a way to whitelist a trusted scanner from triggering alerts? Basically, a rule that will not trigger any detection rules for a trusted source IP address.
Thanks
ppilti...@gmail.com
Sep 1, 2023, 2:48:13 PM9/1/23
to Wazuh | Mailing List
What you want to do is reclassify that source IP as level 0.
Add something like this to /var/ossec/etc/rules/local_rules.xml:
<group>
<rule id="100100" level="0">
<srcip>x.x.x.x</srcip>
<srcip>x.x.x.x</srcip>
<description>Nessus scanner</description>
</rule>
</group>
</rule>
</group>
Note that:
- The rule id must be unique.
- More fields are available, see here: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
You can test this by running /var/ossec/bin/wazuh-logtest then paste an offending log entry. The new rule should trigger and you'll see a level 0 result. If successful, restart wazuh-manager and you're good to go.
Daniel Sappa
Sep 1, 2023, 3:13:08 PM9/1/23
to Wazuh | Mailing List
You can use a CDB LIST feature, part of ruleset, designed specifically for this.
Create your list like follows:
- 192.168.1.10:
192.168.1.11:
192.168.1.12:
192.168.1.13:
sample.domain.com:
You can specify the known IP or domain. You can match the IPs with subnets using the dot notation and :. 192.168.: is the same than 192.168.0.0/16, so it matches with 192.168.0.0 - 192.168.255.255
Do not forget to store your lists in /var/ossec/etc/lists and define it in the ruleset section within ossec.conf file:
<ossec_config> <ruleset> <list>etc/lists/your_list</list>
You can use the lists in both custom and default rules. In your case, as you want to look for the srcip field, you have to also specify lookup="address_match_key"in the desired rules:
<list field="srcip" lookup="address_match_key">etc/lists/your_list</list>Finally, restart Wazuh:
systemctl restart wazuh-managerHere you have a CDB lists overview. Also, here you have a use case of ignoring/blocking IPs using CDB lists.
Do not hesitate to ask for help or any doubt.
Hope this helps you,
Red Team
Sep 5, 2023, 10:05:33 AM9/5/23
to ppilti...@gmail.com, Wazuh | Mailing List
Thanks, I will try this out. Appreciate you providing this.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/WGGo8Wh0Ph0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ee6a8615-9d19-4b59-a442-786b01c17824n%40googlegroups.com.
Red Team
Sep 5, 2023, 11:00:00 AM9/5/23
to ppilti...@gmail.com, Wazuh | Mailing List
Unfortunately that does not work. In order for the rule to trigger, you have to insert <if_sid> </if_sid> and insert the rules to reclassify. Its a little tedious to have to insert all the other rules to reclassify. Am I missing something?
<rule id="100100" level="0">
<if_sid>31101</if_sid>
<srcip>X.X.X.X</srcip>
<srcip>X.X.X.X</srcip>
<description>Nessus scanner</description>
</rule>
DG
Sep 6, 2023, 3:19:07 PM9/6/23
to Wazuh | Mailing List
I missed this response. Will try this out and let you know.
Reply all
Reply to author
Forward
0 new messages