Whitelist to not receive alerts from certain IPs

[Daniel D'Angeli]

Hi,

i was trying to create a whitelist to stop receiving alerts from certain IPs for a client.

From what i read the white-list parameter in ossec.conf only reffers to active response.

Is there a way to do it?

Wazuh 4.2.5

Regards,

Daniel D.

[Luis González Romero]

Hello Daniel! Hope you are doing great.

What I can suggest to you is to use CDB lists, allowing you to match any field extracted during the decoding phase, for example srcip. You can create your own black/white list. I think that if you want to not receive alerts from certain IPs what you can do is create a black list with those IPs(if you mean to only receive alerts from your known nodes, just do the opposite, create a white list with your desired IPs).

• Create your list like follows:

  192.168.1.10:
  192.168.1.11:
  192.168.1.12:
  192.168.1.13:
  sample.domain.com:
  

  You can specify the known IP or domain. You can match the IPs with subnets using the dot notation and :. 192.168.: is the same than 192.168.0.0/16, so it matches with 192.168.0.0 - 192.168.255.255

• Do not forget to store your lists in /var/ossec/etc/lists and define it in the ruleset section within ossec.conf file:

  <ossec_config>
  <ruleset>
    <list>etc/lists/your_list</list>
  

You can use the lists in both custom and default rules. In your case, as you want to look for the srcip field, you have to also specify lookup="address_match_key"in the desired rules:

<list field="srcip" lookup="address_match_key">etc/lists/your_list</list>

Finally, restart Wazuh:

systemctl restart wazuh-manager

Here you have a CDB lists overview. Also, here you have a use case of ignoring/blocking IPs using CDB lists.

Do not hesitate to ask for help or any doubt.

Hope this helps you,

Luis.

​

[Daniel D'Angeli]

Thank you very much for the precise information, i will try to implement this and come back with a feedback.

Regards,

Daniel D.

[Daniel D'Angeli]

I created a file in /var/ossec/etc/lists named whitelist.cdb, the structure is as follows:

omissis@omissis:/var/ossec/etc/lists# ll
total 36
drwxrwx--- 3 root  ossec 4096 Apr 13 07:44 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 08:07 ../
drwxrwx--- 2 ossec ossec 4096 Mar 16 16:29 amazon/
-rw-rw---- 1 ossec ossec  107 Nov 12 19:49 audit-keys
-rw-rw---- 1 ossec ossec 2265 Mar 16 16:29 audit-keys.cdb
-rw-rw---- 1 ossec ossec  892 Nov 12 19:49 security-eventchannel
-rw-rw---- 1 ossec ossec 6461 Mar 16 16:29 security-eventchannel.cdb
-rw-rw---- 1 ossec ossec   31 Apr 13 07:44 whitelist.cdb

I modifed the ossec.conf to get the list, i tried both:

<list field="srcip" lookup="address_match_key">etc/lists/whitelist</list>

<list field="srcip" lookup="address_match_key">/var/ossec/etc/lists/whitelist</list>

But upon restarting the manager it gave me this error:

2022/04/13 08:03:49 wazuh-analysisd: WARNING: (1103): Could not open file 'etc/lists/whitelist' due to [(2)-(No such file or directory)].

2022/04/13 08:09:31 wazuh-analysisd: WARNING: (1103): Could not open file '/var/ossec/etc/lists/whitelist' due to [(2)-(No such file or directory)].

Is there something im missing?

[Daniel D'Angeli]

I just noticed i didnt have to create the file as a .cdb file, now that i removed the extension it gets recognized within the path etc/lists/whitelist.

[Daniel D'Angeli]

I inserted the list as follows:

192.168.5.55:

And testing the following log with ./wazuh-logtest still produces a rule trigger:

Apr  8 10:34:43 omissis sshd[20220]: Did not receive identification string from 192.168.5.55

Am i missing something?

Regards,

Daniel D.

[Luis González Romero]

Hello again, sorry for the late response.

I have replicated your case and the rule has been muted successfully:

• Create the black_list with this content:

  192.168.5.55:
  

• Add the list to the ruleset section within /var/ossec/etc/ossec.conf file.

• Then, modify the rule in /var/ossec/etc/rules/local_rules.xml:

  <rule id="100002" level="0">
  <if_sid>5706</if_sid>
  <list field="srcip" lookup="address_match_key">etc/lists/black_list</list>
  <description>Rule to ignore known hosts</description>
  <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,</group>
  </rule>
  

• Finally, check the muted rule with wazuh-logtest:

root@manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line

Apr  8 10:34:43 omissis sshd[20220]: Did not receive identification string from 192.168.5.55

**Phase 1: Completed pre-decoding.
    full event: 'Apr  8 10:34:43 omissis sshd[20220]: Did not receive identification string from 192.168.5.55'
    timestamp: 'Apr  8 10:34:43'
    hostname: 'omissis'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    srcip: '192.168.5.55'

**Phase 3: Completed filtering (rules).
    id: '100002'
    level: '0'
    description: 'Rule to ignore known hosts'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    gdpr: '['IV_32.2']'
    gpg13: '['7.6', '7.8', '7.13']'
    mail: 'False'
    pci_dss: '['10.2.5', '10.2.2']'

You have to change each rule manually that you want to mute. If I figure out how to mute them all more easily, I’ll tell you here.

Hope this helps you,

Luis.

​