Actually, I think our problem was different. The IP would be blocked by active response.
If you don’t want to get the emails, you’ll have to write a local rule. Valère Binet [C] IT Security Administrator Kelly Government Solutions On-Site at the NIH NIH / NIA / IRP Tel : 410 558 8013 mailto: [email protected] NCTS performance comments and survey at: https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey From: <Binet>, "Valere [C] (NIH/NIA/IRP)" <[email protected]<mailto:[email protected]>> Date: Wednesday, June 10, 2015 at 8:55 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [ossec-list] Level 10 messages for whitelisted IP's We once had the same problem and solved it by adding the host name in the whitelist. Hoping this helps. Valère Binet [C] IT Security Administrator Kelly Government Solutions On-Site at the NIH NIH / NIA / IRP Tel : 410 558 8013 mailto: [email protected] From: "H.Merijn Brand" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, June 10, 2015 at 6:08 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [ossec-list] Level 10 messages for whitelisted IP's Running ossec-hids-2.8.1 on OpenSUSE 13.2 I have several (trusted) IP's in /var/ossec/etc/ossec.conf's <whitelist> section, like --8<--- <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>1.2.3.4</white_list> : -->8--- but ossec still spews lots of messages like --8<--- Subject: OSSEC Notification - localhost - Alert level 10 OSSEC HIDS Notification. 2015 Jun 10 11:24:42 Received From: localhost->/var/log/messages Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of reverse lookup errors)." Portion of the log(s): 2015-06-10T11:24:41.107067+02:00 localhost sshd[23208]: reverse mapping checking getaddrinfo for host.some.domain [1.2.3.4] failed - POSSIBLE BREAK-IN ATTEMPT! -->8--- I know what these IP's do, and that is why they are in the whitelist. Having them in the whitelist ought to prevent these IP's to be detected as break-in attempts, right? What did I miss? Why does ossec mail me with level 10 messages that I thought to have signaled valid? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
