Hello Folks, I am looking into how to get one agent host NOT to induce the OSSEC server host to trigger an active response block on an another agent host as a result of some action by that source agent host that would normally trigger said active response. Example: source agent host Apple1 tries to do something on host Apple2 on the same subnet. Unfortunately, this action falls under a rule that triggers an active response from the server resulting in Apple1 blocking Apple2 - this is an unwanted reaction.
The closest I have come to a solution comes from the OSSEC documentation: http://www.ossec.net/wiki/Know_How:Ignore_Rules " Ignoring snort message If you want to ignore the log from the #Introduction, you can use "id", "srcip", etc for it. Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80 To ignore every Snort id "122", comming from srcip 192.168.0.150 and from hostname "saratoga", the following rule would do it: <rule id="100202" level="0"> <if_sid>20151</if_sid> <hostname>saratoga</hostname> <program_name>^snort</program_name> <srcip>192.168.0.150</srcip> <id>^122:</id> <description>Ignored snort event.</description> </rule> " I think this rule says: if rule 20151 (i.e. the rule that normally triggers an active response) is triggered, check that the target host is "saratoga", that the attack IP is 192.168.0.150 and that the program name is "snort". If that is the case, ignore rule 122 - In our situation, we would want to ignore 20151 instead of ignoring rule 122. Am I correct ?