Hi security people, today I realized that whitelisting by hostname doesn't work at all with OSSEC, at least not with a dyndns hostname, even when the IP address is the same as to the time when I start OSSEC.
I did some tests, did a -service ossec restart- and then produced a level-10-alert 1 minute later, and my office got locked out. bang. ossec.log states me: ... 2011/05/04 13:10:32 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' 2011/05/04 13:10:32 ossec-analysisd: INFO: White listing Hostname: 'blablabla.dnsuser.de' 2011/05/04 13:10:32 ossec-analysisd: INFO: 2 Hostname(s) in the white list for active response. ... How does that white list work when it comes to hostnames? At least it does not work for me the way I thought it should work. ossec 2.5.1 local installation ubuntu 10.04 LTS 64 Bit greets, Rainer.
