Hi, The white list only applies to active response, not to the alerts. So, you will still get the alert even if the ip is in there. If you want to suppress the alert and the active response, try adding a local rule:
<rule id="100102" level="0"> <if_sid>31106</if_sid> <srcip>192.168.0.0/24</srcip> <description>Ignoring rule 31106 for 192.168</description> </rule> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 20, 2009 at 1:02 PM, NCUB <[email protected]> wrote: > > Hi - > > I'm wondering if whitelisting netblocks works? I tried it, and my IP > was still blocked after reloading. It's blocking me for using > phpMyAdmin. Am I doing this wrong (example beow). > > Thanks! > Beth > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>192.168.0.0/24</white_list> > </global> > > OSSEC HIDS Notification. > 2009 Mar 20 11:45:22 > > Received From: webhost-3->/var/log/httpd/access_log > Rule: 31106 fired (level 12) -> "A web attack returned code 200 > (success)." > Portion of the log(s): > > 192.168.0.229 - root [20/Mar/2009:11:45:22 -0400] "GET /MyAdmin/ > querywindow.php?sql_query=SELECT+%2A+FROM+%60jos_comprofiler > %60&lang=en- > iso-8859-1&server=1&db=kidsstuff_data&table=jos_comprofiler HTTP/1.1" > 200 3068 "http://111.111.111.111/MyAdmin/sql.php"; "Mozilla/5.0 > (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.18.1 > (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1 >
