Thank you Dan. Now I have something new to learn...CDB and Makelists. Should do the trick though. Cheers
On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote: > On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected] <javascript:>> > wrote: > > Hey everybody, > > I have a task that I'm struggling with; could you help? > > > > Task: I need to have a blacklist capability on all of my agents ( to > alert, > > not block) > > > > Alerts are only created by the server, not the agents. > > > Issue 1: The blacklist contains over 700 IPs (currently) so creating a > rule > > for each would (to me) seem taxing on the agent and server > > > > Using a cdb seems like a decent option. I had a cdb of over 100k > domains at one point. > > > Issue 2: The white list will contain over 200 IPs or 10 domains/subnets > > > > Questions: > > > > Should I use a white list instead of the blacklist? > > Has anybody on this list done this? > > What is the most practical method? > > > > Reasearch: > > > > I found an excellent example written by Anthony Kasza > > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents will > be > > running nc. > > I looked on this list and other great resources but do not have a good > > answer > > > > Thank you in advance for your time! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
