Depends on how you're whitelisting. Whitelist from Active Response? Or whitelist from rules alerting?
ossec.conf whitelist is AR whitelist. There is no whitelist for rules, so you'll have to create a rule to do it. <Rule id="whitelist_rule_number" level="0"> <!-- maybe change to 1 so you log it --> <if_sid>a bunch of low level rules (like 1002)<if_sid> <srcip>IP_address</srcip> <srcip>IP_address2</srcip> <description>Whitelist rule triggered</description> </rule> That should take care of it. On Jan 9, 10:29 am, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > white_list is a global option in ossec.conf .. But is there an easy > way to whitelist by server? For instance, I want to whitelist some > web developer IPs on the web servers, but I don't want them > whitelisted on other servers such as database or storage servers. I > don't see a very easy way to do this, though.. > > Thoughts? > > - -- > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - - Niven's Inverse of Clarke's Third Law > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (GNU/Linux) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/ > > iEYEARECAAYFAk8LMhQACgkQO80o6DJ8Uvn0+gCfWZGS1Wu6LZHoK/zO6OviRcp1 > ATsAn3ojJ1+LA7PU7x9//X1gMXcO4RI8 > =B9hT > -----END PGP SIGNATURE-----
