I just spoke with my boss - the method I ran by you is cumbersome and
lacks scalability. Is there a way to get whitelisting implemented at
the agent level?
On Sep 30, 6:50 pm, "dan (ddp)" wrote:
> If you're looking to stop all AR against that host you can whitelist the
> IP:http://www.ossec.net/
The scalability problem comes in two ways:
(1) While all our OSSEC agent hosts have unique FQDN's, the relative
host name i.e. the name that appears in the agent host syslog for
example, may not be unique. For example, app01.applesauce.com and
app01.bananapeel.com have the same relative host name
If we were to apply the rule method, how do we specify the
variable when we have several hosts with the same relative host name
e.g. app01 but distinct FQDN's? For example, we want the host
app01.applesauce.com to be whitelisted but not any other hosts whose
relative host name is app01. And unfort
Yo, you are a pal :)
On Oct 1, 1:18 pm, "dan (ddp)" wrote:
> Thinking about it a bit more, I don't think it's a bad idea. Just not
> sure how it would be implimented.
>
> I have one idea on how to do it with currently available source, but
> I'm not sure it's possible. I've asked though, so hope
The paramter is a flop:
(1) I tried the following:
Existing rule 6203 (in asterisk_rules.xml):
6200
^ERROR
Asterisk error message.
Attempt to make sure rule 6203 doesn't fire by inserting rule 206203
in asterisk_rules.xml
6203
acd01.cricketdebt.com
Error messa
On Fri, 1 Oct 2010 07:36:55 -0700 (PDT), blacklight
wrote:
> I just spoke with my boss - the method I ran by you is cumbersome and
> lacks scalability. Is there a way to get whitelisting implemented at
> the agent level?
I'm a bit confused. The rule method is easy to implement on the manager
and
On Fri, Oct 1, 2010 at 10:36 AM, blacklight wrote:
> I just spoke with my boss - the method I ran by you is cumbersome and
> lacks scalability. Is there a way to get whitelisting implemented at
> the agent level?
>
I outlined the 2 methods in my last email. To re-iterate:
1. Global whitelisting o
On Fri, Oct 1, 2010 at 12:40 PM, blacklight wrote:
> The scalability problem comes in two ways:
>
> (1) While all our OSSEC agent hosts have unique FQDN's, the relative
> host name i.e. the name that appears in the agent host syslog for
> example, may not be unique. For example, app01.applesauce.c
Thinking about it a bit more, I don't think it's a bad idea. Just not
sure how it would be implimented.
I have one idea on how to do it with currently available source, but
I'm not sure it's possible. I've asked though, so hopefully I'll have
an answer soon-ish. If it isn't possible to do it in th
If you try the location method before I get a chance, let us know if
it works or not.
On Fri, Oct 1, 2010 at 1:26 PM, blacklight wrote:
> Yo, you are a pal :)
>
>
> On Oct 1, 1:18 pm, "dan (ddp)" wrote:
>> Thinking about it a bit more, I don't think it's a bad idea. Just not
>> sure how it would
It was worth a shot. :)
And can also be used with the agent name, just not there. I
was hoping that it could:
http://www.ossec.net/doc/manual/output/granular-email-output.html
On Thu, Oct 7, 2010 at 5:52 PM, blacklight wrote:
> The paramter is a flop:
>
> (1) I tried the following:
>
> Existin
11 matches
Mail list logo