Hey everybody, I have a task that I'm struggling with; could you help? *Task*: I need to have a blacklist capability on all of my agents ( to alert, not block) *Issue 1*: The blacklist contains over 700 IPs (currently) so creating a rule for each would (to me) seem taxing on the agent and server *Issue 2*: The white list will contain over 200 IPs or 10 domains/subnets *Questions*:
- Should I use a white list instead of the blacklist? - Has anybody on this list done this? - What is the most practical method? *Reasearch*: - I found an excellent example written by Anthony Kasza (* anthonykasza.webs.com/docs/honeyports.pdf)* but none of my agents will be running nc. - I looked on this list and other great resources but do not have a good answer Thank you in advance for your time! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
