Vuln ossec-hids whitelist-critical

From Atomicorp Wiki
Revision as of 14:23, 29 October 2013 by Mshinn (Talk | contribs)

Jump to: navigation, search

This vulnerability is designed to alert you is you have a large number of IP addresses whitelisted. Whitelisting tells ASL to absolutely trust a host and to never block any attacks from the host, or to alert you about attacks from the host. In short it extends the security boundary to those hosts. Because ASL has no visibility into those hosts, it doesnt know if it can trust them and is alerting you to this fact.

A large number of whitelisted hosts, such as whitelisting a large network, means that a large number of system need to be trusted. The is a fairly risky condition for the system to be in, as a large number of hosts are very difficult to secure and the probability of one of them being compromised is much higher when there is a large number of hosts on the whitelist.

You should not whitelist CDNs, such as Cloudflare for example. If you use a CDN, you should configure your system to treat them as proxies which will prevent ASL from blocking them accidentally. CDNs may still allow attacks to reach your system, which ASL would not stop or alert you to if you whitelist them.

Please see the proxy article for information about configuring ASL to treat a host as a proxy.


We recommend you only whitelist hosts that you know are extremely secure. If ASL is blocking a host due to a false positive, please report it to us, we would be happy to fix it for you.

Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=Vuln_ossec-hids_whitelist-critical&oldid=4128"
Personal tools