On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected]> wrote: > Hey everybody, > I have a task that I'm struggling with; could you help? > > Task: I need to have a blacklist capability on all of my agents ( to alert, > not block) >
Alerts are only created by the server, not the agents. > Issue 1: The blacklist contains over 700 IPs (currently) so creating a rule > for each would (to me) seem taxing on the agent and server > Using a cdb seems like a decent option. I had a cdb of over 100k domains at one point. > Issue 2: The white list will contain over 200 IPs or 10 domains/subnets > > Questions: > > Should I use a white list instead of the blacklist? > Has anybody on this list done this? > What is the most practical method? > > Reasearch: > > I found an excellent example written by Anthony Kasza > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents will be > running nc. > I looked on this list and other great resources but do not have a good > answer > > Thank you in advance for your time! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
