Excluding certain source IPs

674 views
Skip to first unread message

kalma...@csiro.au

unread,
Oct 2, 2007, 8:34:24 PM10/2/07
to ossec...@googlegroups.com
Hi all,

this might be simple but I can't find a reference to it.

I'd like to exclude one source IP (or maybe its whole C-class) from
being alerted on.

(This host often runs nessus scans, causing all sorts of alerts on the
apache servers).

It looks like the <white_list> tag in ossec.conf is only for active
response, not alerting.

So I suppose some condition should go into local_rules.xml. But what?

There should be an <if_srcip> tag to make an exemption based on
address(es), but there is no such tag.

How could a source IP be completely excluded from alerting?

Thanks,
Kal


Kalman Dee
Canberra, Australia

Cédric THIBAULT

unread,
Oct 3, 2007, 6:18:14 AM10/3/07
to ossec...@googlegroups.com
I think in your alerts, you should retrieve the source IP. So, if you write
a local alert with the tag match, it could be a solution for you, no ?
Of course, you have to include all alerts causing by this ip in the rule....
Not perfect..


!DSPAM:47036c68253762961610759!


Daniel Cid

unread,
Oct 4, 2007, 9:15:42 PM10/4/07
to ossec...@googlegroups.com
Hi Kalman,

A simple way to solve this is by creating a local rule ignoring
whenever this ip is present
in the log (in this case for every alert above level 6):

<group name="local">
<rule id="100101" level="0">
<if_level>6</if_level>
<match>ip.address</match>
<description>Events ignored from ip</description>
</rule>
</group>

You can also use <srcip>ip address</srcip>, but in some cases it may
not be decoded.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages