On Mon, Apr 28, 2014 at 9:48 AM, Binet, Valere (NIH/NIA/IRP) [C] <[email protected]> wrote: > Hi, > > I'm having undesired auto-response triggering lately. > We whitelist our internal IP range on the OSSEC server. One of our IPs is > being a "bad boy" running a Nessus scanner and therefore triggering tons of > OSSEC alerts. The problem is that the auto-response blocks that IP at the > firewall even it is part of a whitelisted range. > > Config info : > OSSEC version 2.6.1
Is there any chance you can test a recent version? > OSSEC server's ossec.conf (partial) > > <ossec_config> > <global> > <email_notification>yes</email_notification> > ... > <white_list>127.0.0.1</white_list> > <white_list>137.187.160.0/22</white_list> > <!-- ... other whitelists --> > </global> > ... > <!-- Active Response Config --> > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>401</agent_id> > <rules_id>5712,5720,30109,31151,31152,31153,31154</rules_id> > <timeout>600</timeout> > <repeated_offenders>10,10,30,60</repeated_offenders> > </active-response> > ... > </ossec_config> > > auto-response.log on the firewall (tail) > > Sun Apr 27 18:58:48 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 5720 > Sun Apr 27 19:09:19 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 > 5720 > Sun Apr 27 19:11:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 5720 > Sun Apr 27 19:22:39 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 > 5720 > Sun Apr 27 19:25:06 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 5720 > Sun Apr 27 19:35:37 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 > 5720 > > Logs on the server don't seem to show anything clearly linked to this issue. > Searches on the user-list archives and on DuckDuckGo didn't help. > > I didn't choose to install the Nessus scanner and I'm not allowed to get rid > of it. Other than that, every suggestion is welcomed. > > Thank you. > > Valère Binet [C] > IT Security Administrator > Kelly Government Solutions On-Site at the NIH > NIH / NIA / IRP > Tel : 410 558 8013 > mailto: [email protected] > > > NCTS performance comments and survey at: > https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
