I'm still sipping on coffee, so it is entirely possible I've missed something important. :)
Are there a lot of rules that fire from these white listed systems on a regular basis? You could always create ignore rules to keep them from firing. I'm not sure if an <if_sid>501|502|503</if_sid> (sids chosen at random for demonstration purposes only!) will work, but you could try it. For the srcip check, you can use the cdb feature to make it easier to maintain. On Tue, May 3, 2011 at 11:43 AM, jplee3 <[email protected]> wrote: > Hey all, > > Certain aspects of this question may have been touched upon previously > but I don't think I've come across a specific answer. > > First, I'll explain my scenario: > > - I'm currently using location "defined-agent" and agent_id to trigger > the same active response on a set of machines in my environment. > - I've whitelisted several IPs so that they don't get blocked by the > AR if they happen to trigger the rules that set AR off. > - I am currently using the classic OSSEC email alerts to give me a > heads-up when AR was triggered. > > > Now, the main issue with this approach is if I've whitelisted an IP, > the OSSEC email alert will still go out if that IP triggered the > relevant rule (i.e. multiple failed logons). > > > To resolve this, I *could* (and actually have been testing this a bit) > modify the AR script to send the email out. My main issue with this is > consistency - to be consistent, I would want to setup the AR script to > include emailing out on every machine where I have AR setup to > trigger. This would produce lots of duplicate emails. > > I could always just modify the AR script on a single server and rely > on that, but if that were the case I'd rather have the email come from > the OSSEC master server rather than the local agent running the > script. > > > Ugh, that may have been too convoluted. But if anyone gets what I'm > trying to do, please let me know if you have any ideas on Active > Response alerting. This would be a cool feature to include in a future > release of OSSEC btw :) > >
