Hi Dmitri.

Source diving in the snapshot release, 
ossec-hids-081212/src/shared/validate_op.c shows it understands a /22 as:

_netmasks[22] = 0xFFFFFC00;

Which should be OK, but I guess there could still be bugs. I didn't do the CVS 
diving to see when this was added so I don't know that your source code is the 
same.

How about using chunks, you can have multiple srcip tags in the rule.

<srcip>192.168.100.0/24</srcip>
<srcip>192.168.100.1/24</srcip>
<srcip>192.168.100.2/24</srcip>
<srcip>192.168.100.3/24</srcip>

Also, have you tried your rule against ossec-logtest -f?

c.f. http://www.ossec.net/dcid/?p=136

Rick



-----Original Message-----
From: [email protected] [mailto:[email protected]] On 
Behalf Of Dimitri Yioulos
Sent: Wednesday, January 07, 2009 3:53 PM
To: [email protected]
Subject: [ossec-list] Re: Preventing locally triggered rule
Importance: Low


Thanks very much, Rick!

I checked the docs for any information on srcip, and also googled, but came up
relatively empty.  So, I took the rule you so kindly provided, and included:

<srcip>192.168.100.0/22</srcip>

But, that didn't work.  I read somewhere (regarding whitelisting, I think)
that OH doesn't like CIDR notations other than 8, 16, 24, and 32.  No where
have I seen that I can use the actual subnet mask (in our case,
255.255.252.0).

It would be a PITA to have to enter all of the worksations I want to filter
out and, of course, there's DHCP to deal with.

Any idea how I might be able to deal with ths?

Dimitri



This message contains TMA Resources confidential information and is intended 
only for the individual named. If you are not the named addressee you should 
not disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. E-mail transmission cannot be guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission. If verification is 
required please request a hard-copy version.

Reply via email to