On Sat, Sep 18, 2010 at 11:46 AM, Kacper Wysocki <[email protected]> wrote: > I'm already setting up my agents by hostname, but getting the actual > IP is interesting because "dial-home" in case of theft is another > thing ossec would then do. Maybe not quite within scope but theft sure > does fall under the banner of "intrusion". I suppose I could set up a > rule to check the IP but it's more useful to have the server report > the actual IP and not a NAT'ed private ip. > > editing the source: sure, anyone point me the right way around the code? > -- > http://kacper.doesntexist.org > http://windows.dontexist.com > Employ no technique to gain supreme enlightment. > - Mar pa Chos kyi blos gros >
Possibly a silly idea, but you could have all systems "check-in" at a certain URL, and create a rule looking for that specific URL. To weed out alerts from "known good" systems, you could create a rule to filter out known-good IPs.
