How do you whitelist a hostname/IP

[ad...@gunco.net]

I have a vulnerability scanner within my networks that is registering 75% of all the events in Sorby, Squert and Sguil. I need to be able to remove this system from being monitored and turning if off isn't a option. How to do exclude or whitelist this Hostname/IP do I need to manually add the hostname to BPF filters?

Great tool set but this issue is killing the sensors.

Thanks

[Heine Lysemose]

Hi

Yes, either you need to do it with BPF filters, https://code.google.com/p/security-onion/wiki/BPF, or you need to use suppressions, https://code.google.com/p/security-onion/wiki/ManagingAlerts#Suppressions

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Jesse Cail]

So - is the correct way to whitelist a vulnerability scanner via BPF to add a filter rule to show nothing from the vulnerability scanner IP as shown below??

(Example from the wiki page)

#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&

[Wes Lambert]

Jesse,

If you wish to ignore all traffic from the vulnerability scanner, then this is the way to do so.  However, if this is the only line in your BFP conf file, you would want to remove the '&&' portion

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Jesse Cail]

Wes,

Thanks - will do. Will this also quiet the OSSEC Notifications from those agents or is there another route for accomplishing that?

Jesse

[Wes Lambert]

For OSSEC, you may want to do something like the following:

http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html#element-white_list

Thanks,

Wes

[Jesse Cail]

Thanks Wes!

[Jon Mark Allen]

On Tuesday, June 27, 2017 at 9:32:51 AM UTC-5, Wes wrote:
> For OSSEC, you may want to do something like the following:
>
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html#element-white_list
>
> Thanks, Wes
>
> On Tue, Jun 27, 2017 at 10:30 AM, Jesse Cail <jesse....@gmail.com>
> wrote: Wes,
>
> Thanks - will do. Will this also quiet the OSSEC Notifications from those
> agents or is there another route for accomplishing that?
>
> Jesse
>

I recently realized that the OSSEC white_list element does not keep OSSEC from
alerting on actions from the given IP, but only prevents it from blocking
the IP with an active response script. That's good, but doesn't help if
you're trying to keep alert noise down.

To prevent OSSEC from generating alerts at all for a given IP, you can make
use of the IP reference list feature.

I documented the process I followed for this at
https://geekcabi.net/article/ossec-whitelisting/

The downside to this approach is that those IP addresses are **completely**
trusted from an IDS/SIEM perspective, so be sure to review the scanner logs
on a regular basis to watch for any unauthorized or malicious use.

JM

[Jesse Cail]

JM,

Thanks for that article - I can't create the lists file referenced (/var/ossec/lists/file_name). I get access denied. I am logged on as the original admin that I created at install, and using sudo nano /path/filename.

Jesse

[Jesse Cail]

JM / All,

I figured it out - had to request root shell (sudo -s), cd to /var/ossec, and mkdir /lists.

Jesse