search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.5k stars 1.04k forks source link

whitelist IPv6 block (prefix) notation #747

Open Namsep opened 8 years ago

Namsep commented 8 years ago

Hi,

I'm having a hard time to setup an IPv6 prefix in de ossec.conf whitelist. I added my IPv6 home prefix but i'm still getting blocked when switching in phpMyAdmin from editing a db field with json to another screen.

I have tried several notations, but none works.

    <white_list>2001:1234:abcd::/48</white_list>
    <white_list>[2001:1234:abcd::]/48</white_list>

The documentation also doesn't mention it, an example should be a great help for others to. http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html

aquerubin commented 8 years ago

On Thu, 18 Feb 2016, Namsep wrote:

I'm having a hard time to setup an IPv6 prefix in de ossec.conf whitelist. I added my IPv6 home prefix but i'm still getting blocked when switching in phpMyAdmin from editing a db field with json to another screen.

I have tried several notations, but none works.

   <white_list>2001:1234:abcd::/48</white_list>
   <white_list>[2001:1234:abcd::]/48</white_list>

The documentation also doesn't mention it, an example should be a great help for others to.

I don't think you can whitelist prefixes - just individual addresses.

Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com

jrossi commented 8 years ago

Whitelist does not do prefixes. For IPv4 you could try using cdb lists: https://ossec.github.io/docs/manual/rules-decoders/rule-lists.html?highlight=cdb

Using cdb for IPv6 is really not possible in a meaning full way do to how Ranges are simulated in cdb.

jrossi commented 8 years ago

The correct way to match address for IPv6 and IPv4 would be to us radix tree https://en.m.wikipedia.org/wiki/Radix_tree and in fact would be a great data structure for a lot of use cases within ossec.

Namsep commented 8 years ago

Would be nice to have tho. Excluding office, home office and 3rd party that does security scans. Nothing that an allow rule on top of the IPtables can't fix but maybe that's to complex for starting users.

dcid commented 8 years ago

You should be able to use this format as well:

<white_list>^2001:1234:abcd::</white_list> And it will match any IPv6 address that starts like that (I know, not a real netmask, but close). We basically do a pattern matching for any white list entry that is not an ipv4 address.

thanks,

martin9959 commented 3 years ago

The solution given in this old (but still open!) bug report doesn't seem to work anymore in current ossec (3.6.0-14954buster), maybe due to the introduction of pcre? At least the respective commit mentions that

- Had to change ``Config->hostname_white_list`` type to ``char **`` because OSMatch no longer have the ``patterns`` field.

and changes

echo " <white_list>^localhost.localdomain$</white_list>">>$NEWCONFIG

to

echo " <white_list>localhost.localdomain</white_list>">>$NEWCONFIG

in install.sh, so maybe the ^/$ format doesn't work anymore.

OTOH, the line

echo " <white_list>::1</white_list>" >> $NEWCONFIG

is still there in install.sh, but I don't know whether it actually does anything.

In consequence, I tried

<white_list>2001:234:abcd::</white_list> <white_list>2001:0234:abcd::</white_list> <white_list>2001:234:abcd:</white_list> <white_list>2001:0234:abcd:</white_list>

none of which seems to work. Any ideas how to whitelist IPv6 addresses now?