[ossec-list] whitelisted IP triggers auto-response

[Binet, Valere (NIH/NIA/IRP) [C]]

Hi,

I'm having undesired auto-response triggering lately.
We whitelist our internal IP range on the OSSEC server. One of our IPs is being 
a "bad boy" running a Nessus scanner and therefore triggering tons of OSSEC 
alerts. The problem is that the auto-response blocks that IP at the firewall 
even it is part of a whitelisted range.

Config info :
OSSEC version 2.6.1
OSSEC server's ossec.conf (partial)

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
...
    <white_list>127.0.0.1</white_list>
        <white_list>137.187.160.0/22</white_list>
<!-- ... other whitelists -->
 </global>
...
  <!-- Active Response Config -->
  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>defined-agent</location>
        <agent_id>401</agent_id>
    <rules_id>5712,5720,30109,31151,31152,31153,31154</rules_id>
    <timeout>600</timeout>
    <repeated_offenders>10,10,30,60</repeated_offenders>
  </active-response>
...
</ossec_config>

auto-response.log on the firewall (tail)

Sun Apr 27 18:58:48 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 5720
Sun Apr 27 19:09:19 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 5720
Sun Apr 27 19:11:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 5720
Sun Apr 27 19:22:39 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 5720
Sun Apr 27 19:25:06 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 5720
Sun Apr 27 19:35:37 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh 
delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 5720

Logs on the server don't seem to show anything clearly linked to this issue.
Searches on the user-list archives and on DuckDuckGo didn't help.

I didn't choose to install the Nessus scanner and I'm not allowed to get rid of 
it. Other than that, every suggestion is welcomed.

Thank you.

Valère Binet [C]
IT Security Administrator
Kelly Government Solutions On-Site at the NIH
NIH / NIA / IRP
Tel : 410 558 8013
mailto:  bin...@nia.nih.gov


NCTS performance comments and survey at:
https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.