Re: [ossec-list] Re: Rule suppression by source IP

Wed, 11 May 2011 11:08:18 -0700 

I'm not entirely sure if "!" is recognized at least in the srcip parameter.

What you may want to try doing is creating a rule to fire for those IPs and
then create another rule to suppress alerts from the entire range. I believe
the rule that looks for alerts from those particular IPs will supersede the
one to suppress all.

Something like this:

 <rule id="100203" level="0">
  <if_sid>18149</if_sid>
  <srcip>192.168.1.0/24</srcip>
  </rule>

 <rule id="100204" level="10">
  <if_sid>18149</if_sid>
  <srcip>192.168.1.5</srcip>
  <srcip>192.168.1.6</srcip>
  <srcip>192.168.1.7</srcip>
  <srcip>192.168.1.8</srcip>
  <srcip>192.168.1.9</srcip>
  </rule>

On Wed, May 11, 2011 at 10:50 AM, Joseph S. Testa II <
[email protected]> wrote:

> I'm trying to suppress alerts from all IPs except for 192.168.1.5-9. This
> is for a large installation, and only those five devices are important with
> respect to rule 18149.
>
>   Thanks,
>   - Joe
>
>
>
> jplee3 wrote:
>
>> So are you trying to whitelist the IPs listed above? Or blacklist
>> them?
>>
>> with the "!" I'm assuming you're saying "NOT" - do you want to
>> suppress alerts from 192.168.1.5-9? If so, then you should remove the
>> "!"
>>
>> On May 11, 10:37 am, "Joseph S. Testa II"
>> <[email protected]> wrote:
>>
>>> Hi all,
>>>
>>>    I'd like to suppress a rule by source IP, so I put the following
>>> inside local_rules.xml:
>>>
>>>  <rule id="100203" level="0">
>>>   <if_sid>18149</if_sid>
>>>   <srcip>!192.168.1.5</srcip>
>>>   <srcip>!192.168.1.6</srcip>
>>>   <srcip>!192.168.1.7</srcip>
>>>   <srcip>!192.168.1.8</srcip>
>>>   <srcip>!192.168.1.9</srcip>
>>>  </rule>
>>>
>>> I restarted OSSEC (v2.5.1 on Ubuntu 10.04 LTS) and verified my rule
>>> parsed correctly, but I still get alerts for IPs not in that list.
>>>
>>> When I search for alerts in the web UI, it says "Showing 123 alert(s)
>>> from srcip (none)", which seems to imply that the decoder isn't filling
>>> the srcip field correctly.
>>>
>>> Is there another way to filter this rule by source IP?
>>>
>>>    Thanks,
>>>    - Joe
>>>
>>> --
>>> Joseph S. Testa II | Senior Security Consultant
>>> Positron Security, LLC.http://www.positronsecurity.com/
>>>
>>> Phone: (585) 643-5900
>>> AIM / Skype / Twitter:  TheRealJoeTesta
>>>
>>
>
> --
> Joseph S. Testa II | Senior Security Consultant
> Positron Security, LLC.
> http://www.positronsecurity.com/
>
> Phone: (585) 643-5900
> AIM / Skype / Twitter:  TheRealJoeTesta
>

Reply via email to