[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Excluding certain source IPs

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Excluding certain source IPs
From: Cédric THIBAULT <cedric@xxxxxxxxxxx>
Date: Wed, 3 Oct 2007 12:18:14 +0200
Authentication-results: mx.google.com; spf=neutral (google.com: 87.98.216.139 is neither permitted nor denied by best guess record for domain of cedric@xxxxxxxxxxx) smtp.mail=cedric@xxxxxxxxxxx
Content-transfer-encoding: 8bit

I think in your alerts, you should retrieve the source IP. So, if you write
a local alert with the tag match, it could be a solution for you, no ?
Of course, you have to include all alerts causing by this ip in the rule....
Not perfect..

On Wed, 3 Oct 2007 10:34:24 +1000, <kalman.dee@xxxxxxxx> wrote:
> 
> Hi all,
> 
> this might be simple but I can't find a reference to it.
> 
> I'd like to exclude one source IP (or maybe its whole C-class) from
> being alerted on.
> 
> (This host often runs nessus scans, causing all sorts of alerts on the
> apache servers).
> 
> It looks like the <white_list> tag in ossec.conf is only for active
> response, not alerting.
> 
> So I suppose some condition should go into local_rules.xml. But what?
> 
> There should be an <if_srcip> tag to make an exemption based on
> address(es), but there is no such tag.
> 
> How could a source IP be completely excluded from alerting?
> 
> Thanks,
> Kal
> 
> 
> Kalman Dee
> Canberra, Australia
> 
> 
> 


!DSPAM:47036c68253762961610759!

References:
- [ossec-list] Excluding certain source IPs
  - From: kalman.dee

Prev by Date: [ossec-list] Re: Syscheck enhancements
Next by Date: [ossec-list] Re: Excluding certain source IPs
Previous by thread: [ossec-list] Excluding certain source IPs
Next by thread: [ossec-list] Re: Excluding certain source IPs
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.