It probably depends on the rules. Some use the IP while others use the FQDN.
I remember having to white list both the IP and the name of one of our machines even in 2.7. It was a Nessus scanner doing lots of nasty things on all our other machines. (... but Tenable, the makers of Nessus, will tell you it's for our own good 😉). Valère Binet [C] GRSi contractor NIH / NIA / IRP ________________________________ From: Paul Raines <[email protected]> Sent: Thursday, May 3, 2018 3:57:38 PM To: ossec-list Subject: [ossec-list] whitelist ignored on active response I have on my OSSEC 2.9.3. server in /var/ossec/etc/ossec.conf several whitelisted IPs. <ossec_config> <global> <white_list>172.21.21.35</white_list> ... Yet on my clients, this IP will still get blocked at the firewall if an active response is triggered from the host. I have definitely restarted both server and client since the ossec.conf change. My active response log even shows the client blocking itself which I would think should be automatically excluded. I do not see this behavior on my older 2.7 install. I notice the active-reponse.log has IPs on 2.7 but full FQDN hostnames in 2.9.3. Are we supposed to use full hostnames for the white_list now? The documentation still says IPs. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
