Hi, Rick. Much to my chagrin, I noticed that my version of OH was 1.4. I think (that being the operative word) that accepting CIDR notations other than 8, 16, 24, and 32 wasn't implemementedin OH until a later version. Anyway, I upgraded to version 1.6, used <scrip>192.168.100.0/22</srcip>, my users are pinging away, and I'm not getting any more notifications!
Thanks so much for your help and patience. Dimitri On Wednesday 07 January 2009 4:48 pm, McClinton, Rick wrote: > Hi Dmitri. > > Source diving in the snapshot release, > ossec-hids-081212/src/shared/validate_op.c shows it understands a /22 as: > > _netmasks[22] = 0xFFFFFC00; > > Which should be OK, but I guess there could still be bugs. I didn't do the > CVS diving to see when this was added so I don't know that your source code > is the same. > > How about using chunks, you can have multiple srcip tags in the rule. > > <srcip>192.168.100.0/24</srcip> > <srcip>192.168.100.1/24</srcip> > <srcip>192.168.100.2/24</srcip> > <srcip>192.168.100.3/24</srcip> > > Also, have you tried your rule against ossec-logtest -f? > > c.f. http://www.ossec.net/dcid/?p=136 > > Rick > > > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of Dimitri Yioulos Sent: Wednesday, January 07, 2009 3:53 PM > To: ossec-list@googlegroups.com > Subject: [ossec-list] Re: Preventing locally triggered rule > Importance: Low > > > Thanks very much, Rick! > > I checked the docs for any information on srcip, and also googled, but came > up relatively empty. So, I took the rule you so kindly provided, and > included: > > <srcip>192.168.100.0/22</srcip> > > But, that didn't work. I read somewhere (regarding whitelisting, I think) > that OH doesn't like CIDR notations other than 8, 16, 24, and 32. No where > have I seen that I can use the actual subnet mask (in our case, > 255.255.252.0). > > It would be a PITA to have to enter all of the worksations I want to filter > out and, of course, there's DHCP to deal with. > > Any idea how I might be able to deal with ths? > > Dimitri > > > > This message contains TMA Resources confidential information and is > intended only for the individual named. If you are not the named addressee > you should not disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this e-mail by > mistake and delete this e-mail from your system. E-mail transmission cannot > be guaranteed to be secure or error-free as information could be > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > contain viruses. The sender therefore does not accept liability for any > errors or omissions in the contents of this message which arise as a result > of e-mail transmission. If verification is required please request a > hard-copy version. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
