RE: [ossec-list] Massive white-listing

[dan (ddp)]

On Jan 16, 2018 2:53 AM, "Sylvain Crouet" <scro...@neocasesoftware.com>
wrote:

Yes, I think. The list of Azure Public IP ranges is easy to download and is
XML formatted:

  <Region Name="useast">

    <IpRange Subnet="13.68.128.0/17" />

    <IpRange Subnet="13.72.64.0/18" />

    <IpRange Subnet="13.82.0.0/16" />









  </Region>



If I correctly understand documentation regarding CDB list, I must
transform the XML file to something like this:

useast_13.68.128.0_17:13.68.128.0/17

useast_13.72.64.0_18:13.72.64.0/18

useast_13.82.0.0_16:13.82.0.0/16

replace all my <srcip>xxx</srcip> within local_rules.xml by <list
field="srcip" lookup="address_match_key">rules/records</list>




I think the IPs go on the left, but I'd have to look at the docs to be
sure. I've scripted my list updates.



Or maybe it does work for main CIDR blocks (/32, /24, /16 and /8) only?




I'm also not sure about this. It'd be worth investigating. CDB lists are a
bit limited, and I have plans to add sqlite backed lists at some point, but
haven't had the time.


Cordialement / Regards



*Sylvain Crouet*

Security Officer - *Security is everybody’s responsibility*

Mobile +33 (0) 7 75 24 10 28 <+33%207%2075%2024%2010%2028>



*From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On
Behalf Of *dan (ddp)
*Sent:* lundi 15 janvier 2018 20:38
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Massive white-listing







On Jan 15, 2018 11:47 AM, "Sylvain Crouet" <scro...@neocasesoftware.com>
wrote:

Hello,



I need to massively white-list several IP ranges, which furthermore change
regularly. How can I manage this without updating a local rule manually?





Can you programatically update a cdb list?





Cordialement / Kind regards



*Sylvain Crouet*

Security Officer - *Security is everybody’s responsibility*

CISSP

ISO 27005 Risk Manager

ISO 27001 Lead Implementer

Mobile +33 (0) 7 75 24 10 28 <+33%207%2075%2024%2010%2028>



[image: Logo-Neocase-RGB-TM-TAGLINE-mail-signature]



*Neocase™ Software is a leading provider of integrated HR and Finance
service delivery solutions.*

www.neocasesoftware.com



[image: workday_azure_partners_300dpi_1cm5]



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.