Hi Dmitri. Source diving in the snapshot release, ossec-hids-081212/src/shared/validate_op.c shows it understands a /22 as:
_netmasks[22] = 0xFFFFFC00; Which should be OK, but I guess there could still be bugs. I didn't do the CVS diving to see when this was added so I don't know that your source code is the same. How about using chunks, you can have multiple srcip tags in the rule. <srcip>192.168.100.0/24</srcip> <srcip>192.168.100.1/24</srcip> <srcip>192.168.100.2/24</srcip> <srcip>192.168.100.3/24</srcip> Also, have you tried your rule against ossec-logtest -f? c.f. http://www.ossec.net/dcid/?p=136 Rick -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dimitri Yioulos Sent: Wednesday, January 07, 2009 3:53 PM To: [email protected] Subject: [ossec-list] Re: Preventing locally triggered rule Importance: Low Thanks very much, Rick! I checked the docs for any information on srcip, and also googled, but came up relatively empty. So, I took the rule you so kindly provided, and included: <srcip>192.168.100.0/22</srcip> But, that didn't work. I read somewhere (regarding whitelisting, I think) that OH doesn't like CIDR notations other than 8, 16, 24, and 32. No where have I seen that I can use the actual subnet mask (in our case, 255.255.252.0). It would be a PITA to have to enter all of the worksations I want to filter out and, of course, there's DHCP to deal with. Any idea how I might be able to deal with ths? Dimitri This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
