ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard

Published 20 hours ago verified publisher icon ossec

whitelist IPv6 block (prefix) notation

Open Namsep opened this issue 9 years ago • 6 comments

Hi,

I'm having a hard time to setup an IPv6 prefix in de ossec.conf whitelist. I added my IPv6 home prefix but i'm still getting blocked when switching in phpMyAdmin from editing a db field with json to another screen.

I have tried several notations, but none works.

    <white_list>2001:1234:abcd::/48</white_list>
    <white_list>[2001:1234:abcd::]/48</white_list>

The documentation also doesn't mention it, an example should be a great help for others to. http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html

Namsep avatar Feb 18 '16 09:02 Namsep

On Thu, 18 Feb 2016, Namsep wrote:

I'm having a hard time to setup an IPv6 prefix in de ossec.conf whitelist. I added my IPv6 home prefix but i'm still getting blocked when switching in phpMyAdmin from editing a db field with json to another screen.

I have tried several notations, but none works.

   <white_list>2001:1234:abcd::/48</white_list>
   <white_list>[2001:1234:abcd::]/48</white_list>

The documentation also doesn't mention it, an example should be a great help for others to.

I don't think you can whitelist prefixes - just individual addresses.

Antonio Querubin e-mail: [email protected] xmpp: [email protected]

aquerubin avatar Feb 18 '16 09:02 aquerubin

Whitelist does not do prefixes. For IPv4 you could try using cdb lists: https://ossec.github.io/docs/manual/rules-decoders/rule-lists.html?highlight=cdb

Using cdb for IPv6 is really not possible in a meaning full way do to how Ranges are simulated in cdb.

jrossi avatar Feb 18 '16 13:02 jrossi

The correct way to match address for IPv6 and IPv4 would be to us radix tree https://en.m.wikipedia.org/wiki/Radix_tree and in fact would be a great data structure for a lot of use cases within ossec.

jrossi avatar Feb 18 '16 13:02 jrossi

Would be nice to have tho. Excluding office, home office and 3rd party that does security scans. Nothing that an allow rule on top of the IPtables can't fix but maybe that's to complex for starting users.

Namsep avatar Feb 19 '16 06:02 Namsep

You should be able to use this format as well:

<white_list>^2001:1234:abcd::</white_list> And it will match any IPv6 address that starts like that (I know, not a real netmask, but close). We basically do a pattern matching for any white list entry that is not an ipv4 address.

thanks,

dcid avatar Feb 20 '16 17:02 dcid

The solution given in this old (but still open!) bug report doesn't seem to work anymore in current ossec (3.6.0-14954buster), maybe due to the introduction of pcre? At least the respective commit mentions that

- Had to change ``Config->hostname_white_list`` type to ``char **`` because OSMatch no longer have the ``patterns`` field.

and changes

echo " <white_list>^localhost.localdomain$</white_list>">>$NEWCONFIG

to

echo " <white_list>localhost.localdomain</white_list>">>$NEWCONFIG

in install.sh, so maybe the ^/$ format doesn't work anymore.

OTOH, the line

echo " <white_list>::1</white_list>" >> $NEWCONFIG

is still there in install.sh, but I don't know whether it actually does anything.

In consequence, I tried

<white_list>2001:234:abcd::</white_list> <white_list>2001:0234:abcd::</white_list> <white_list>2001:234:abcd:</white_list> <white_list>2001:0234:abcd:</white_list>

none of which seems to work. Any ideas how to whitelist IPv6 addresses now?

martin9959 avatar Jan 02 '21 10:01 martin9959