[ossec-list] Re: Whitelisting questions

Wed, 09 Aug 2006 06:58:07 -0700 


Ohh, I'm sorry, I misunderstood your case.
OK, I'll test it tonight, and write the results.
If you can send the conf file and alert logs,
they would help me.

Regards,

Ahmet Ozturk.


Dimitri Yioulos wrote:

Ahmet.
Um, actually, why would I need a Windows agent? I'm not monitoring a Windows box, just using it to do tasks on an OSSEC_HIDS box, like upload files via sftp (again, using WinSCP3) or run commands via ssh (Putty). That notwithstanding, I'll send along the conf and logs. I've done nothing special to the conf file, though, except whiteliste a few addresses. 

Dimitri


On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote:

Hi again,

I'll test windows agent at home tonight.
Can you send us your ossec.conf file and related alert logs?

Regards,

Ahmet Ozturk.

Dimitri Yioulos wrote:

Thanks, Ahmet.

Might you have any idea why my WinXP box keeps getting blocked
when using the ssh and ftp tools, even though it's whitelisted?

Dimitri

On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote:

Hi Dimitri,

OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32.

Please see Rafael Capovilla's solution.
(http://www.ossec.net/ossec-list/2006-August/msg00063.html)

I think Meir Michanie will correct this issue soon.

Since you have only two agent boxes, you may define them
seperately in config file like:
<white_list>192.168.100.xx/32</white_list>
<white_list>192.168.100.yyy/32</white_list>

Regards,

Ahmet Ozturk.

Dimitri Yioulos wrote:

Hello list members.

In order to use various tools on my OSSEC-HIDS server and agent
boxes, I've whitelisted my two  desktop boxes - WinXP and
SimplyMepis Linux.

>From the Linux desktop, using cli ssh and sftp tools, I have

no

trouble getting into the OSSEC-HIDS server or agents.  From the
Windows desktop, however, I keep getting added to hosts.deny
when using either Putty (ssh) or WinSCP3 (sftp).  I then have
to remove the entry fr the WinXP desktop from hosts.deny and
restart the OSSEC-HIDS server (merely removing the entry from
hosts.deny doesn't work).  I have, as per instruction, added a
separate entry in ossec.conf for each LAN address I want to
whitelist.  Is this a possible bug, or am I doing something
wrong?

I tried whitelisting my entire LAN by adding
<white_list>192.168.100.0/22</white_list>, but that didn't seem
to work.  If this isn't something I'm doing wrong, might I
suggest adding this ability in a future release?

Regards,

Dimitri

Reply via email to