Hi Oliver, It seems that you configured the white_list on the agent side, but it should be set on the server's ossec.conf. That's probably why it didn't work.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Dec 13, 2008 at 2:22 PM, Oliver Jagape <oliver.jag...@concentrix.com> wrote: > I think so, I also remember restarting it several times, but still whenever > some user from this x.x.x.x ip got multiple login failure, active-response > blacklisted it. > > note that I already put this ip inside <white_list> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>10.1.0.0/16</ > white_list> > <white_list>x.x.x.x</white_list> > </global> > > btw, here's my ossec.conf > > > > <ossec_config> > <client> > <server-ip>192.168.1.254</server-ip> > </client> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>x.x.x.x</white_list> - changed the actual IP > <white_list>10.10.0.0/16</white_list> > <white_list>10.14.0.0/16</white_list> > > </global> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/xferlog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/amavis.log</location> > </localfile> > > > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/error_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/access_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/etc/httpd/logs/access_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/etc/httpd/logs/error_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/etc/httpd/logs/*log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/amavis.log</location> > </localfile> > > > </ossec_config> > > > > Dave Cushing wrote: > > Did you remember to restart OSSEC? (hangs his head in shame) I've been > caught by that one a few times.. > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of Oliver Jagape > Sent: Friday, December 12, 2008 10:25 AM > To: ossec-list@googlegroups.com; Dave Cushing > Subject: [ossec-list] white list specific ip on active response > > > Hi, > > I've been reading the wiki, this is related to ignoring specific ip on > active response, it says in the example > > <global> > <white_list>127.0.0.1</white_list> > <white_list>10.1.0.0/16</white_list> > <white_list>1.2.3.4</white_list> > </global> > > > am I correct to put it at ossec.conf?, or there's a particular conf > file where I should put this.? > coz, putting this at ossec.conf, the ip that should be ignored still > being blacklisted by active response. > > > tia > > Oliver > > > > > E1385kCWRPvFl1nUNE2j > > > > Oliver >