Running ossec-hids-2.8.1 on OpenSUSE 13.2
I have several (trusted) IP's in /var/ossec/etc/ossec.conf's <whitelist>
section, like
--8<---
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>1.2.3.4</white_list>
:
-->8---
but ossec still spews lots of messages like
--8<---
Subject: OSSEC Notification - localhost - Alert level 10
OSSEC HIDS Notification.
2015 Jun 10 11:24:42
Received From: localhost->/var/log/messages
Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of
reverse lookup errors)."
Portion of the log(s):
2015-06-10T11:24:41.107067+02:00 localhost sshd[23208]: reverse mapping
checking getaddrinfo for host.some.domain [1.2.3.4] failed - POSSIBLE
BREAK-IN ATTEMPT!
-->8---
I know what these IP's do, and that is why they are in the whitelist.
Having them in the whitelist ought to prevent these IP's to be detected as
break-in attempts, right?
What did I miss? Why does ossec mail me with level 10 messages that I
thought to have signaled valid?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
