The whitelist works with active response. If you have OSSEC blocking
misbehaving IPs on your firewall, you definitely have to whitelist the scanner
IP. Past experience with one scanner I won’t promote here has shown that you
might have to also whitelist its FQDN.
If you just want to stop the deluge of emails, a local rule as shown by Bruce
is the way to go.
Valère Binet
From: Bruce Westbrook <bwestbr...@gmail.com>
Reply-To: "ossec-list@googlegroups.com" <ossec-list@googlegroups.com>
Date: Thursday, March 5, 2020 at 9:04 AM
To: ossec-list <ossec-list@googlegroups.com>
Subject: [ossec-list] Re: Whitelisting the IP of an internal vulnerability
scanner
oops -- I made a typo. The second example should be <if_level>7</if_level>
too, not level 1.
You can use level 1 but that will ignore everything from the source IP and not
log anything at all.
On Thursday, March 5, 2020 at 8:59:59 AM UTC-5, Bruce Westbrook wrote:
Morning,
Couple of ways to do this for just a single IP address. It depends on whether
you just want to skip the emails alerts but still keep alerts in your database,
or if you want to ignore them completely.
Examples assume you have your email alerts set to level 7 or above. Note that
<if_level> matches rules at the given level or anything above it.
To skip emails but still keep the alert data:
<rule id="100101" level="15">
<if_level>7</if_level>
<options>no_email_alert</options>
<srcip>10.10.10.10</srcip>
<description>Do not send emails for our scanner alerts</description>
</rule>
To ignore all rule matches completely, set your rule to level 0:
<rule id="100101" level="0">
<if_level>1</if_level>
<srcip>10.10.10.10</srcip>
<description>Ignoring all alerts triggered by our scanner</description>
</rule>
Personally I use the second example, which ignores sending any alerts and
doesn't even log them, but still logs any non-email events (levels 1-6) so I
can still prove to an auditor that the scans are actually running against
various hosts (some auditors want multiple proof points like that).
Hope that helps!
- Bruce
On Thursday, March 5, 2020 at 8:42:01 AM UTC-5, Olivier Ragain wrote:
Good morning,
I've been trying to whitelist the IP of my scanner so that I never get
notifications from it and that alerts are ignored for it.
I've tried adding it to the whitelist in the ossec configuration file (And as I
understand, that configuration is not used for the notification whitelisting)
I've tried adding as a list and then added to the ossec configuration
So, what is the best way to whitelist a scanner IP so that nothing sends email
for it? Do I need to create a custom rule that matches all rule IDs and the IP
of the scanner host to disable email notifications?
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/85801125-b8d7-471b-869c-adea3d36cf2e%40googlegroups.com<https://groups.google.com/d/msgid/ossec-list/85801125-b8d7-471b-869c-adea3d36cf2e%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/8716F0A9-5475-4E86-B26E-5B0142619AC5%40mail.nih.gov.
