How to create a CDB list for maintaining list of Internal IP ranges.

1,029 views
Skip to first unread message

prithvis...@unotechsoft.com

unread,
Apr 20, 2019, 4:07:08 AM4/20/19
to Wazuh mailing list
Hi community,

I am trying to create a list for my internal IPs using the CDB list feature but I'm not sure what the list file should be like. The Wazuh documentation states this as an example of a list file:
192.168.: Matches 192.168.0.0 - 192.168.255.255
172.16.19.: Matches 172.16.19.0 - 172.16.19.255
10.1.1.1: Matches 10.1.1.1

The ossec documentation had this as an example of a list file:
192.168.: RFC 1918 Address space
172.16.:RFC 1918 Address space
172.17.:RFC 1918 Address space
172.18.:RFC 1918 Address space
172.19.:RFC 1918 Address space
172.20.:RFC 1918 Address space
172.21.:RFC 1918 Address space
172.22.:RFC 1918 Address space
172.23.:RFC 1918 Address space
172.24.:RFC 1918 Address space
172.25.:RFC 1918 Address space
172.26.:RFC 1918 Address space
172.27.:RFC 1918 Address space
172.28.:RFC 1918 Address space
172.29.:RFC 1918 Address space
172.30.:RFC 1918 Address space
172.31.:RFC 1918 Address space
10.:RFC 1918 Address space

Which is the way to follow? If any one can share any list file that they have developed, it would be greatly appreciated.

Thank you

Bradley King

unread,
Apr 20, 2019, 2:18:20 PM4/20/19
to Wazuh mailing list
Hey dude, the top example is the correct way to make a list.

Just make a text file with your data:

192.168.: Matches 192.168.0.0 - 192.168.255.255
172.16.19.: Matches 172.16.19.0 - 172.16.19.255
10.1.1.1: Matches 10.1.1.1


Then add the location of the text file in the ossec.conf.


Then run /var/ossec/bin/ossec-makelists (I think), it should say something like. 'LIST NAME [ Needs to be updated]' and they you're done!

:)
Message has been deleted

prithvis...@unotechsoft.com

unread,
Apr 22, 2019, 6:25:30 AM4/22/19
to Wazuh mailing list
Thank you for your answer. 
So if I want to match IP addresses from 172.16.0.0 to 172.31.255.255, should I write it as:
172.: Matches 172.16.0.0 - 172.31.255.255

Or should I write it separately for every subnet:
 
172.16.: Matches 172.16.0.0 - 172.16.255.255 
172.17.: Matches 172.17.0.0 - 172.17.255.255
... 

daniel...@wazuh.com

unread,
Apr 22, 2019, 10:02:21 AM4/22/19
to Wazuh mailing list

Hello prithvisagar.rao,

 

The Wazuh CDB lists have the “key:value” format so everything you write after the colon is going to be the value of your key.

 

If you use “172.” as your key it will match for every IP from 172.0.0.0 to 172.255.255.255 even if you try to specify a different range in the value.

To accomplish what you were trying to you need to specify each subnet as you suggested with the second option. You don’t even need to specify a value if you are not going to use it, your list could look like the following one:

 

172.16.:
172.17.:
172.18.:
172.19.:
...


You may check how to create, compile and use a CDB list with Wazuh here: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html?

Regards.


Reply all
Reply to author
Forward
0 new messages