whitelist IPv6 block (prefix) notation #747
Comments
|
On Thu, 18 Feb 2016, Namsep wrote:
I don't think you can whitelist prefixes - just individual addresses. Antonio Querubin |
|
Whitelist does not do prefixes. For IPv4 you could try using cdb lists: https://ossec.github.io/docs/manual/rules-decoders/rule-lists.html?highlight=cdb Using cdb for IPv6 is really not possible in a meaning full way do to how Ranges are simulated in cdb. |
|
The correct way to match address for IPv6 and IPv4 would be to us radix tree https://en.m.wikipedia.org/wiki/Radix_tree and in fact would be a great data structure for a lot of use cases within ossec. |
|
Would be nice to have tho. Excluding office, home office and 3rd party that does security scans. Nothing that an allow rule on top of the IPtables can't fix but maybe that's to complex for starting users. |
|
You should be able to use this format as well:
thanks, |
|
The solution given in this old (but still open!) bug report doesn't seem to work anymore in current ossec (3.6.0-14954buster), maybe due to the introduction of pcre? At least the respective commit mentions that
and changes
to
in install.sh, so maybe the ^/$ format doesn't work anymore. OTOH, the line
is still there in install.sh, but I don't know whether it actually does anything. In consequence, I tried
none of which seems to work. Any ideas how to whitelist IPv6 addresses now? |
Hi,
I'm having a hard time to setup an IPv6 prefix in de ossec.conf whitelist. I added my IPv6 home prefix but i'm still getting blocked when switching in phpMyAdmin from editing a db field with json to another screen.
I have tried several notations, but none works.
The documentation also doesn't mention it, an example should be a great help for others to.
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html
The text was updated successfully, but these errors were encountered: