Running ossec-hids-2.8.1 on OpenSUSE 13.2
I have some IP's in /var/ossec/etc/ossec.conf, like
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>1.2.3.4</white_list>
but I still get loads of level 10 mails with content like
OSSEC HIDS Notification.
2015 Jun 09 21:27:20
Received From: localhost->/var/log/messages
Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of
reverse lookup errors)."
Portion of the log(s):
2015-06-09T21:27:20.013160+02:00 localhost sshd[13842]: reverse mapping
checking getaddrinfo for some.domain [1.2.3.4] failed - POSSIBLE BREAK-IN
ATTEMPT!
:
Why are whitelisted IP's not suppressed in this?
I *know* what these IP's are doing, and I am fine with that.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
