whitelist domain names
85 views
Skip to first unread message
Steve
Feb 22, 2011, 4:02:41 AM2/22/11
to ossec-list
I;ve been looking for a way to add domains to the whitelist to prevent
active-response. I can see similar questions have been asked but I can
not find any with an answer.
The issue is active-response taking action against a web crawler
(Google, etc) if they attempt to crawl many pages that no longer
exist. Most search engines do not publish an IP range/block and
require a host lookup.
As I understand it the whitelist can take a set of IP addresses or an
IP block, can it take a domain name e.g. googlebot.com
If not has anyone successfully and safely found a way to use active-
response without it resulting in blocking search engines?
Steve
active-response. I can see similar questions have been asked but I can
not find any with an answer.
The issue is active-response taking action against a web crawler
(Google, etc) if they attempt to crawl many pages that no longer
exist. Most search engines do not publish an IP range/block and
require a host lookup.
As I understand it the whitelist can take a set of IP addresses or an
IP block, can it take a domain name e.g. googlebot.com
If not has anyone successfully and safely found a way to use active-
response without it resulting in blocking search engines?
Steve
Doug Burks
Feb 22, 2011, 6:13:07 AM2/22/11
to ossec...@googlegroups.com
One possible solution for this would be to whitelist the crawler's
User Agent by doing the following:
-determine the User Agent that the bot is sending with the request
-determine which rule(s) are triggering the Active Response
-write new child rule(s) that match the User Agent of the bot and
lower the severity level to prevent Active Response
User Agent by doing the following:
-determine the User Agent that the bot is sending with the request
-determine which rule(s) are triggering the Active Response
-write new child rule(s) that match the User Agent of the bot and
lower the severity level to prevent Active Response
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
dan (ddp)
Feb 22, 2011, 10:35:27 AM2/22/11
to ossec...@googlegroups.com
You could modify the AR script to do some kind of lookup to see
whether the IP should be banned or not.
whether the IP should be banned or not.
On Tue, Feb 22, 2011 at 4:02 AM, Steve <wardel...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages