how to stop sending alert mail when a rule is fired by a whitelisted IP?
338 views
Skip to first unread message
mauro....@cmcc.it
May 23, 2021, 2:42:41 PM5/23/21
to Wazuh mailing list
Hi All,
I just added, for testing purposes, an IP address in the whitelist in ossec.conf configuration file (on server).
If a rule is fired due to some particular activities executed by the whitelisted IP, no active responses are launched. And it is ok for me!
In any case, I'm still receiving the alert email and it is not what I'm expecting.
Is there a way to stop the emails to be sent when a rule is fired by a whitelisted IP?
Or, alternatively, can they be sent only to my mail address?
Thank you in advance,
Thank you in advance,
Mauro
Jesús Sánchez de Lechina Tejada
May 24, 2021, 4:10:05 AM5/24/21
to Wazuh mailing list
Hi Mauro,
The reason why you are still receiving the alerts is because whitelisting, as you mentioned, only blocks the active response. The goal of this is to stop the active response but still being aware of the issue.
How did you set your email configuration? Using the email configuration options we can approach this issue in a non-dynamic way. You could make use of the <event_location> option to explicitly specify which hosts, IPs or IP range you would like to be alerted from:
<email_alerts>
<email_to>te...@test.com</email_to>
<level>12</level>
<event_location>10.1.111.|10.1.112.|10.1.113.|10.1.114.|10.1.115.|10.1.116.|10.1.117.|10.1.118.</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
<email_to>te...@test.com</email_to>
<level>12</level>
<event_location>10.1.111.|10.1.112.|10.1.113.|10.1.114.|10.1.115.|10.1.116.|10.1.117.|10.1.118.</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
Besides, you could add a new email_alerts section with the whitelisted agent in <event_location> and set the <email_to> tag to a different email to keep a track of these whitelisted agents.
Alternatively, take a look at the granular email settings in case you could make use of any additional option such as ignoring a specific rule ID or adjusting the alert level.
Regards,
Jesús
Mauro Tridici
May 24, 2021, 4:58:08 AM5/24/21
to Jesús Sánchez de Lechina Tejada, Wazuh mailing list
Hi Jesus,
thank you for your answer.
Anyway, I think that I should explain in a better way my needs.
In this particular use-case, an external public IP address (let’s say IP 1.1.1.1) has been authorized to perform multiple FTP connections against our FTP servers (they are all Wazuh agents).
So, I added this IP in my <white_list> list and, as you mentioned, no active responses can be executed for this IP.
Unfortunately, I’m still receiving a lot of alert messages (see the example below)
Wazuh Notification.
2021 May 23 12:36:12
Received From: (ftp_agent) 3.3.3.3->/var/log/vsftpd.log
Rule: 11452 fired (level 10) -> "vsftpd: Multiple FTP connection attempts from same source IP."
Src IP: ::ffff:1.1.1.1
Portion of the log(s):
2021 May 23 12:36:12
Received From: (ftp_agent) 3.3.3.3->/var/log/vsftpd.log
Rule: 11452 fired (level 10) -> "vsftpd: Multiple FTP connection attempts from same source IP."
Src IP: ::ffff:1.1.1.1
Portion of the log(s):
Sun May 23 14:36:12 2021 [pid 84298] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:10 2021 [pid 84293] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:08 2021 [pid 84289] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:07 2021 [pid 84284] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:04 2021 [pid 84278] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:02 2021 [pid 84273] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:36:00 2021 [pid 84267] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:35:58 2021 [pid 84262] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:35:56 2021 [pid 84255] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:35:55 2021 [pid 84250] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:35:53 2021 [pid 84245] CONNECT: Client "::ffff:1.1.1.1"
Sun May 23 14:35:51 2021 [pid 84240] CONNECT: Client "::ffff:1.1.1.1”
This is my current email alerts setting.
<email_alerts>
<email_to>my_mail_address</email_to>
<level>8</level>
</email_alerts>
<email_alerts>
<email_to>my_team_mailing_list</email_to>
<level>10</level>
</email_alerts>
I don’t want to change the level of alerts or restrict to a particular event_location.
I would like to only avoid to receive this alert message when this rule is fired on “ftp_agent”.
Do you think that I can do it someway?
Many thanks for your availability.
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/laGgaCmFq6g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d609c554-9f96-404b-b625-155cef765d6bn%40googlegroups.com.
Jesús Sánchez de Lechina Tejada
May 24, 2021, 6:59:30 AM5/24/21
to Wazuh mailing list
Okay, I see what you mean.
I believe that it is a good idea to apply the event_location approach. As you have a separate internal/external network, it should be convenient to add your internal subnet to the email-monitored group. So I definitely recommend you to give it a chance if you find it suitable.
I came up with an alternative way to do this which, unfortunately, can't be used currently due to this issue. It would be an approach based on agent labels and custom rules: This solution would consist of first setting a label for this agent, then adding a custom child rule for the rule 11452. This rule would have the no_email_alert option along with a match check of the agent label. As I mentioned, this can't be done as agent labels are added after an alert was triggered, but will totally be a workaround for your goal. So, I encourage you to leave some feedback on that issue, so it will sooner be implemented.
So, summing up I recommend you to give it a chance to the event_location approach and I will let you know of any alternative way to do so if I came up with anything else
Regards,
Jesús
Mauro Tridici
May 24, 2021, 7:32:43 AM5/24/21
to Jesús Sánchez de Lechina Tejada, Wazuh mailing list
Many thanks, Jesus.
I just added my feedback to the existing issue on GitHub. I will wait for this verry important feature.
Meanwhile, let’s see if I understood your suggestion.
If I’m not wrong, I should add this code in ossec.conf file on Wazuh Server.
<email_alerts>
<email_to>my_mail_address</email_to>
<level>8</level>
<event_location>ftp_server01|ftp_server02|ftp_server03</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts><email_alerts>
<email_to>my_team_mail_address</email_to>
<level>11</level>
<event_location>ftp_server01|ftp_server02|ftp_server03</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
In this way, when an external and authorized IP address will do “multiple connections - (alert level 10)" against one of "ftp_server*” agents, the alert emails will be sent only to my_mail_address, is it correct?
Do I understand your suggestion?
Thank you for your patience.
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/85141206-7909-40b2-b2e5-6eeca40e86edn%40googlegroups.com.
Jesús Sánchez de Lechina Tejada
May 24, 2021, 8:32:54 AM5/24/21
to Wazuh mailing list
Hi Mauro,
Yes, you may add as well the ftp whitelisted client to the first <email_alerts> section if you still want to get notified about it.
As a convenient tip, if your agents are under a range of IPs (e.g. 10.3.1.X) you could use an expression like "10.3.1." and it should work as a wildcard for any agent beneath that subnet.
Something like this:
<email_alerts>
<email_to>my_team_mail_address</email_to>
<level>11</level>
<email_to>my_team_mail_address</email_to>
<level>11</level>
<event_location>10.3.1.|192.161.1.</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
<do_not_delay/>
<do_not_group/>
</email_alerts>
I really hope this works out for you! I'll be here to help you otherwise.
Regards,
Jesús
Mauro Tridici
May 24, 2021, 10:46:53 AM5/24/21
to Jesús Sánchez de Lechina Tejada, Wazuh mailing list
Hi Jesus,
it works! Thank you very much :)
Anyway, I hope that the issue mentioned in your previuos emails will be solved as soon as possible.
Have a great day,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/607a1b91-a03b-4ac9-b91f-cb22923fc173n%40googlegroups.com.
Jesús Sánchez de Lechina Tejada
May 24, 2021, 11:42:03 AM5/24/21
to Wazuh mailing list
Fantastic!
I will let the team know about the interest in that feature.
Have a great day you too, and don't hesitate to post again if you come up with any other queries.
Jesús
Mauro Tridici
May 24, 2021, 12:41:46 PM5/24/21
to Jesús Sánchez de Lechina Tejada, Wazuh mailing list
Hi Jesus,
I would like to take this opportunity ( :-P ) to ask your opinion about the issue I mentioned in the case I recently opened with the title: "how to add geoip info in wazuh alert emails”.
Thnak you in advance,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/93dc5e4d-ff27-4d5d-b987-30d0faa86bf1n%40googlegroups.com.
Jesús Sánchez de Lechina Tejada
May 25, 2021, 3:25:16 AM5/25/21
to Wazuh mailing list
I am taking a look at it and will discuss it with my mate. But we will keep that on separate threads so that we don't mix the topic.
Thanks for your understanding.
Regards!
Mauro Tridici
May 25, 2021, 3:46:08 AM5/25/21
to Jesús Sánchez de Lechina Tejada, Wazuh mailing list
Good Morning Jesus,
you are right, if you are agree we can use the existing topic or open a new one.
Thank you for your help.
Kind Regards,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4929c89e-42d7-4445-a071-582435c2b7b8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages