I haven't used address_match_key in a CDB, but this doc explains it pretty well. It's the type of lookup performed...
https://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html Also - I'd consider adding your scanner IPs to the whitelist in ossec.conf, even if you're not using active response. I'm also not sure if this is enough to block out all the alerts, it really depends on what type of hosts you're protecting. And if you have "things" setup correctly (e.g. IIS logging). I would run a scan against a set of hosts and identify what type of alerts you're receiving. Then go down that road to quiet the alerting. I usually use <match></match> addresses in local_rules.xml for this type of work, but I'm sure a CDB list would work just as well. HTH!!! > - > > - > > Value: address_match_key > > - Positive key match: field is an IP address and the key to search > within the cdb and will match if they key is present. > > - > > Value: not_address_match_key > > - Negative key match: field is an IP address the key to search and > will match if it *IS NOT* present in the database. > > - > > Value: address_match_key_value > > - Key and Value Match: field is an IP address searched for in the > cdb and if found the value will be compared with regex from > attribute > check_value. > > Note > > This feature is not yet complete. > > > > - > > *check_value* > > - regex pattern for matching on the value pulled out of the cdb when > using lookup types: address_match_key_value, match_key_value > > > *Allowed:* > > Path to the CDB file to be used for lookup from the OSSEC directory. This > file must also be included in the ossec.conf file. > > *Example:* > > <rule id="100000" level="7"> > <list lookup="match_key" field="srcip">path/to/list/file</list> > <description>Checking srcip against cdb list file</description> >> >> </rule> > > On Tuesday, May 14, 2019 at 10:05:55 AM UTC-7, Stephen S wrote: > > I've been following the instructions from the below link to setup a > whitelist for our vulnerability scanners. > > https://geekcabi.net/article/ossec-whitelisting/ > > So far, I have the following config in > /var/ossec/lists/approved_scanner_list > > ipaddress1:scanner1 > ipaddress2:scanner2 > > In /var/ossec/etc/ossec.conf I reference that by: > > <list>/var/ossec/lists/approved_scanners_list</list> > > Note here that I am not trying to block active responses, I want to > disable any alerting emails that these scanners generate. Is that enough to > block out all alerts from the scanners? > > I am also looking to take this one step further and only block specific > rules that a scanner may trigger if I so choose. > > In the link documentation it calls for the line: > > <list field="srcip" > lookup="address_match_key">lists/approved_scanners_list</list> > > > However, since I have multiple scanner IP's, can I list them in the > "srcip" section as comma de-limited? > > Such as "field="ipaddress1, ipaddress2" > > Also, I have no clue what "address_match_key" should translate too. How > should I populate that field? > > Can anyone help me get this going? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/33d21ebd-ab90-4d85-9ca6-3467665faf78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
