RE: [ossec-list] Massive white-listing

[Sylvain Crouet]

Yes, I think. The list of Azure Public IP ranges is easy to download and is XML 
formatted:
  <Region Name="useast">
    <IpRange Subnet="13.68.128.0/17" />
    <IpRange Subnet="13.72.64.0/18" />
    <IpRange Subnet="13.82.0.0/16" />




  </Region>

If I correctly understand documentation regarding CDB list, I must transform 
the XML file to something like this:
useast_13.68.128.0_17:13.68.128.0/17
useast_13.72.64.0_18:13.72.64.0/18
useast_13.82.0.0_16:13.82.0.0/16
replace all my <srcip>xxx</srcip> within local_rules.xml by <list field="srcip" 
lookup="address_match_key">rules/records</list>

Or maybe it does work for main CIDR blocks (/32, /24, /16 and /8) only?

Cordialement / Regards

Sylvain Crouet
Security Officer - Security is everybody’s responsibility
Mobile +33 (0) 7 75 24 10 28

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of dan (ddp)
Sent: lundi 15 janvier 2018 20:38
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Massive white-listing



On Jan 15, 2018 11:47 AM, "Sylvain Crouet" 
<scro...@neocasesoftware.com<mailto:scro...@neocasesoftware.com>> wrote:
Hello,

I need to massively white-list several IP ranges, which furthermore change 
regularly. How can I manage this without updating a local rule manually?


Can you programatically update a cdb list?


Cordialement / Kind regards

Sylvain Crouet
Security Officer - Security is everybody’s responsibility
CISSP
ISO 27005 Risk Manager
ISO 27001 Lead Implementer
Mobile +33 (0) 7 75 24 10 28<tel:+33%207%2075%2024%2010%2028>

[Logo-Neocase-RGB-TM-TAGLINE-mail-signature]

Neocase™ Software is a leading provider of integrated HR and Finance service 
delivery solutions.
www.neocasesoftware.com<http://www.neocasesoftware.com/>

[workday_azure_partners_300dpi_1cm5]

--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.