I've been following the instructions from the below link to setup a whitelist for our vulnerability scanners.
https://geekcabi.net/article/ossec-whitelisting/ So far, I have the following config in /var/ossec/lists/approved_scanner_list ipaddress1:scanner1 ipaddress2:scanner2 In /var/ossec/etc/ossec.conf I reference that by: <list>/var/ossec/lists/approved_scanners_list</list> Note here that I am not trying to block active responses, I want to disable any alerting emails that these scanners generate. Is that enough to block out all alerts from the scanners? I am also looking to take this one step further and only block specific rules that a scanner may trigger if I so choose. In the link documentation it calls for the line: <list field="srcip" lookup="address_match_key">lists/approved_scanners_list</list> However, since I have multiple scanner IP's, can I list them in the "srcip" section as comma de-limited? Such as "field="ipaddress1, ipaddress2" Also, I have no clue what "address_match_key" should translate too. How should I populate that field? Can anyone help me get this going? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/a2f6f7fa-e560-4b97-a31f-3152bbf8a044%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
