[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Excluding certain source IPs

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Excluding certain source IPs
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 4 Oct 2007 22:15:42 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.232 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=YZogP6fGhw1cP9O9Hk3ZRAQhpZgwaTVdW9Vo6tMRWk4=; b=fzaNrK6+ebK2s8PdRe+63nzuekM+HcZCL2KV9Xhci4S3ubRseDu3jBs0r5OL2E8g/IhVaZcSxltouhJDFNOz2vR8wT5cd3he2cHbWF4t8oTaG6iQx1pkzOzYaUgzwlyucA/tdxQK90KpAMOwIXiwHFhcdnjiDh/Pt3JnSPdsfzc=

Hi Kalman,

A simple way to solve this is by creating a local rule ignoring
whenever this ip is present
in the log (in this case for every alert above level 6):

<group name="local">
 <rule id="100101" level="0">
   <if_level>6</if_level>
   <match>ip.address</match>
   <description>Events ignored from ip</description>
 </rule>
</group>

You can also use <srcip>ip address</srcip>, but in some cases it may
not be decoded.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 10/2/07, kalman.dee@xxxxxxxx <kalman.dee@xxxxxxxx> wrote:
>
> Hi all,
>
> this might be simple but I can't find a reference to it.
>
> I'd like to exclude one source IP (or maybe its whole C-class) from
> being alerted on.
>
> (This host often runs nessus scans, causing all sorts of alerts on the
> apache servers).
>
> It looks like the <white_list> tag in ossec.conf is only for active
> response, not alerting.
>
> So I suppose some condition should go into local_rules.xml. But what?
>
> There should be an <if_srcip> tag to make an exemption based on
> address(es), but there is no such tag.
>
> How could a source IP be completely excluded from alerting?
>
> Thanks,
> Kal
>
>
> Kalman Dee
> Canberra, Australia
>
>

References:
- [ossec-list] Excluding certain source IPs
  - From: kalman.dee

Prev by Date: [ossec-list] Re: Excluding certain source IPs
Next by Date: [ossec-list] Problem with the e-mail alert times
Previous by thread: [ossec-list] Re: Excluding certain source IPs
Next by thread: [ossec-list] Problem with the e-mail alert times
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.