OSSEC Whitelist
Brian Torbich
I have white listed some IP addresses in ossec.conf, but am still receiving
warning messages about the IP address via e-mail. Does the white list only
affect the active response module? In other words, if the IP address is in
the white list, will it still trigger the rules and the alerts? I added the
IP's to the white list and its no longer blocking them with active response
in iptables, but it's still triggering the rules and sending me the e-mail
warnings.
I want to have these IP addresses not be blocked with active-response, but I
don't want to receive any warning messages associated with these IP's. Is
this possible?
Thanks,
================================
Brian Torbich
Voice Marketing, Inc.
http://www.voicemarketing.net
Cell Phone: 412-398-9364
================================
Peter M. Abraham
Your findings and mine are similar -- the white list blocks the IP
from being impacted by the active response, but you still get emails.
What you can do, if you do not want to be emailed about them, is set
up a new rule in /var/ossec/rules/local_rules.xml based on the
existing rule.
<rule id="10000" level="0">
<if_sid>[ID OF RULE YOU WANT TO IGNORE FOR YOUR IP]</if_sid>
<srcip>[YOUR WHITE LIST IP</srcip>
<description>[YOUR DESCRIPTION</description>
<group>[GROUP],</group>
</rule>
Also see http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Ignoring_a_specific_IP
Thank you.
Brian Torbich
Thanks!
================================
Brian Torbich
Voice Marketing, Inc.
http://www.voicemarketing.net
Cell Phone: 412-398-9364
================================