Ignore all alerts generated by an OpenVAS
32 views
Skip to first unread message
Nico Alonso
Sep 1, 2025, 8:03:17 AM (6 days ago) Sep 1
to Wazuh | Mailing List
Hello,
I installed an OpenVAS in my network, and it is doing some validations over machines where I have installed the Wazuh agent, so I am receiving a lot of false positives ( for example, OpenVAS tries to brute force SSH login and an alert is generated )
I was looking for the possibility of ignoring all alerts generated where the source IP is the one that the OpenVAS has, but the only thing that I found is a way to ignore the alerts generated in the OpenVAS, not the ones generated by the operations that it do while testing.
Is there any way of ignore all alerts generated by the source IP of the machine that is creating the alert? Wazuh has any configuration or set of rules for security scanners that can do this?
Thanks,
Nico
Olamilekan Abdullateef Ajani
Sep 1, 2025, 10:15:41 AM (6 days ago) Sep 1
to Wazuh | Mailing List
Hello Nico,
You need to create a list in /var/ossec/etc/lists with the file permissions (chmod 660 and chown wazuh:wazuh)
If you are aiming to ignore/silent event from the source IP of openVAS, you can simple use the custom rule below to capture the openVAS ssh events.
<group name="sshd,syslog,authentication_failed,">
<rule id="122112" level="0">
<if_sid>5760</if_sid> <!-- match the ssh event -->
<srcip>X.X.X.X</srcip> <!-- your OpenVAS scanner IP -->
<description>Ignore SSH brute force attempts from OpenVAS scanner</description>
</rule>
</group>
<rule id="122112" level="0">
<if_sid>5760</if_sid> <!-- match the ssh event -->
<srcip>X.X.X.X</srcip> <!-- your OpenVAS scanner IP -->
<description>Ignore SSH brute force attempts from OpenVAS scanner</description>
</rule>
</group>
However, if the events will be coming from multiple source, because your query suggests that, you can make use of CDBList to achieve this by adding the IP address of multiple host in the list and match them with
<list field="srcip" lookup="address_match_key">etc/lists/test-list</list> in a rule.
With the rule looking like:
<group name="sshd,syslog,authentication_failed,">
<rule id="122112" level="0">
<if_sid>5760</if_sid> <!-- match the ssh event-->
<list field="srcip" lookup="address_match_key">etc/lists/test-list</list>
<description>Ignore SSH brute force attempts from OpenVAS sources</description>
</rule>
</group>
<rule id="122112" level="0">
<if_sid>5760</if_sid> <!-- match the ssh event-->
<list field="srcip" lookup="address_match_key">etc/lists/test-list</list>
<description>Ignore SSH brute force attempts from OpenVAS sources</description>
</rule>
</group>
If the CDBlist route works for you, please make use of the documentation below as guide:
Add the list in the wazuh server configuration file
Then make use of the list in a rule.
Ref:
Please let me kniow if you require further assistance on this
Reply all
Reply to author
Forward
0 new messages