Since I cannot find any documentation about incompatibilities or things (not) to do when upgrading, I'll assume the process is straight forward and I'll upgrade the OSSEC server using the AtomiCorp repository. If I'm wrong I can rely on puppet and backups to go back, I guess. If it goes well, the firewall will likely be the first agent I upgrade.
________________________________________ From: dan (ddp) [[email protected]] Sent: Tuesday, April 29, 2014 7:48 AM To: [email protected] Subject: Re: [ossec-list] whitelisted IP triggers auto-response On Mon, Apr 28, 2014 at 9:48 AM, Binet, Valere (NIH/NIA/IRP) [C] <[email protected]> wrote: > Hi, > > I'm having undesired auto-response triggering lately. > We whitelist our internal IP range on the OSSEC server. One of our IPs is > being a "bad boy" running a Nessus scanner and therefore triggering tons of > OSSEC alerts. The problem is that the auto-response blocks that IP at the > firewall even it is part of a whitelisted range. > > Config info : > OSSEC version 2.6.1 Is there any chance you can test a recent version? > OSSEC server's ossec.conf (partial) > > <ossec_config> > <global> > <email_notification>yes</email_notification> > ... > <white_list>127.0.0.1</white_list> > <white_list>137.187.160.0/22</white_list> > <!-- ... other whitelists --> > </global> > ... > <!-- Active Response Config --> > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>401</agent_id> > <rules_id>5712,5720,30109,31151,31152,31153,31154</rules_id> > <timeout>600</timeout> > <repeated_offenders>10,10,30,60</repeated_offenders> > </active-response> > ... > </ossec_config> > > auto-response.log on the firewall (tail) > > Sun Apr 27 18:58:48 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 5720 > Sun Apr 27 19:09:19 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 > 5720 > Sun Apr 27 19:11:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 5720 > Sun Apr 27 19:22:39 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 > 5720 > Sun Apr 27 19:25:06 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 5720 > Sun Apr 27 19:35:37 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 > 5720 > > Logs on the server don't seem to show anything clearly linked to this issue. > Searches on the user-list archives and on DuckDuckGo didn't help. > > I didn't choose to install the Nessus scanner and I'm not allowed to get rid > of it. Other than that, every suggestion is welcomed. > > Thank you. > > Valère Binet [C] > IT Security Administrator > Kelly Government Solutions On-Site at the NIH > NIH / NIA / IRP > Tel : 410 558 8013 > mailto: [email protected] > > > NCTS performance comments and survey at: > https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
