[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Can IP ranges be put in the whitelist

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Can IP ranges be put in the whitelist
From: "Rafael Capovilla" <iceman@xxxxxxxxxxxxxxxxx>
Date: Tue, 8 Aug 2006 11:58:51 -0300

yep we need to change this, actually it will only accept cidrs /8 /16 /24 /32, if you want to manually fix this issue edit src/shared/validate_op.c and insert /25 there, something like:

change this:
        /* The CIDR can onlu be from 8,16,24 to 32 */
        if((cidr != 8) && (cidr != 16) && (cidr != 24) && (cidr != 32))
        {
            return(0);
        }
to this:
        /* The CIDR can onlu be from 8,16,24 to 32 */
        if((cidr != 8) && (cidr != 16) && (cidr != 24) && (cidr != 32) && (cidr != 25 ))
        {
            return(0);
        }

and this:
    else if(cidr && (cidr == 24))
    {
        snprintf(ip_address, ip_address_size, ".%d.%d.%d.",
                                              ip_parts[0],
                                              ip_parts[1],
                                              ip_parts[2]);
    }
    /* Returning success */
    return(1);
}
to this:
    else if(cidr && (cidr == 24))
    {
        snprintf(ip_address, ip_address_size, ".%d.%d.%d.",
                                              ip_parts[0],
                                              ip_parts[1],
                                              ip_parts[2]);
    }
    else if(cidr && (cidr == 25))
    {
        snprintf(ip_address, ip_address_size, ".%d.%d.%d.",
                                             ip_parts[0],
                                             ip_parts[1],
                                             ip_parts[2]);
    }
    /* Returning success */
    return(1);
}

2006/8/8, Leslie S Arvin <arvin@xxxxxxxxxx>:

Can less-common IP ranges be put in the whitelist?  I haven't
deployed 0.9 yet, but in ossec-hids 0.8 when I tried to specify
in the configuration file:

<white_list> 128.210.191.128/25</white_list>

...ossec reported configuration errors and would not start.

# /opt/ossec  bin/ossec-control restart
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v0.8 Stopped
Starting OSSEC HIDS v0.8 (by Daniel B. Cid)...
2006/08/08 10:51:57 ossec-analysisd(1237): Invalid ip address: ' 128.210.191.128/25'.
2006/08/08 10:51:57 ossec-analysisd(1202): Configuration problem. Exiting.
2006/08/08 10:51:57 ossec-analysisd(1202): Configuration problem. Exiting.
ossec-analysisd: Configuration error. Exiting

-- Leslie Arvin
    arvin@xxxxxxxxxx, Office: SCCA 23F, Phone: 765-496-3971
    Network Systems Administrator, ITI-Networks
    Purdue University, Information Technology at Purdue

Meir Michanie wrote:
> yes, read the online manual
>
> On 8/8/06, *Charles Webb* <bmallice@xxxxxxxxx
> <mailto: bmallice@xxxxxxxxx>> wrote:
>
>
>     My main question for this is due to the hoster I am with requires
>     certain ip's be whitelisted so
>     their monitoring can get in correctly. Any help would be greatly
>     appreciated.
>
>

--
Certified LPIC -1
http://www.underlinux.com.br

Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

References:
- [ossec-list] Can IP ranges be put in the whitelist
  - From: Charles Webb
- [ossec-list] Re: Can IP ranges be put in the whitelist
  - From: Meir Michanie
- [ossec-list] Re: Can IP ranges be put in the whitelist
  - From: Leslie S Arvin

Prev by Date: [ossec-list] Re: Can IP ranges be put in the whitelist
Next by Date: [ossec-list] false alarm??
Previous by thread: [ossec-list] Re: Can IP ranges be put in the whitelist
Next by thread: [ossec-list] Windows rules
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.