If you're looking to stop all AR against that host you can whitelist the IP: http://www.ossec.net/doc/syntax/head_ossec_config.reports.html
On Thu, Sep 30, 2010 at 6:43 PM, blacklight <vphu...@yahoo.com> wrote: > Hello Folks, > > I am looking into how to get one agent host NOT to induce the OSSEC > server host to trigger an active response block on an another agent > host as a result of some action by that source agent host that would > normally trigger said active response. Example: source agent host > Apple1 tries to do something on host Apple2 on the same subnet. > Unfortunately, this action falls under a rule that triggers an active > response from the server resulting in Apple1 blocking Apple2 - this is > an unwanted reaction. > > The closest I have come to a solution comes from the OSSEC > documentation: > http://www.ossec.net/wiki/Know_How:Ignore_Rules > > " > Ignoring snort message > > If you want to ignore the log from the #Introduction, you can use > "id", "srcip", etc for it. > Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] > (portscan) > TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80 > > To ignore every Snort id "122", comming from srcip 192.168.0.150 and > from hostname "saratoga", > the following rule would do it: > > <rule id="100202" level="0"> > <if_sid>20151</if_sid> > <hostname>saratoga</hostname> > <program_name>^snort</program_name> > <srcip>192.168.0.150</srcip> > <id>^122:</id> > <description>Ignored snort event.</description> > </rule> > " > > I think this rule says: if rule 20151 (i.e. the rule that normally > triggers an active response) is triggered, check that the target host > is "saratoga", that the attack IP is 192.168.0.150 and that the > program name is "snort". If that is the case, ignore rule 122 - In our > situation, we would want to ignore 20151 instead of ignoring rule > 122. > > Am I correct ? > You want to ignore id 122. This rule 100202 will supercede 20151. With this rule 20151 will not fire if the "attacking" host is 192.168.0.150, the "attacked" system is saratoga, and the snort alert that fired is snort id 122.
