I do not want to block the whole event or this alert. Is there a way to block or whitelist a specific message from this alert. On this server we are getting the Interface entered in promiscuous(sniffing) mode for one server and a specific network interface.
Can this be done on the agent level. We are basically getting "Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" message - we want to stop getting this as a email but still record it on the logs. Is there a way to do this. Else we may have to filter this email. Stephen LuShing On Fri, Oct 27, 2017 at 9:09 PM, <alberto.rodrig...@wazuh.com> wrote: > Hello Stephen > > I do not know if I understood well, but if you want to disable this > alert, you only need to add the following block to your file > local_rules.xml > > <rule id="5104" level="0" overwrite="yes"> > <if_sid>5100</if_sid> > <regex>Promiscuous mode enabled|</regex> > <regex>device \S+ entered promiscuous mode</regex> > <description>Interface entered in promiscuous(sniffing) mode. > </description> > <group>promisc,</group> > </rule> > > This block will overwrite the official 5104 rule. > If you want to do that, you have to be sure, because you are changing the > level value of the event in order to dismiss it. Could be possible that > other similar events (i.e. a malicious script which change the network > interface to promiscuous mode), then the event will no be registered as an > alert too. > > Hope it helps. > Best regards, > > > > On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote: >> >> We recently been getting the following message from OSSEC: >> >> >> >> OSSEC HIDS Notification. >> >> 2017 Oct 27 09:40:01 >> >> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >> >> Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) >> mode." >> >> Portion of the log(s): >> >> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode >> >> --END OF NOTIFICATION >> >> Question >> >> >> >> Is there a way to ignore this message (other that are similar) as we >> determine that this is not a issue for the server (It seems like Oracle is >> running a process) >> >> >> >> If this is possible to whitelist or somehow have OSSEC ignore this >> specific warning. If so – where do we code this. >> >> I am running OSSEC 2.8.1 on the client and server. >> >> >> >> Thanks in advance >> >> >> >> Stephen LuShing >> >> Hofstra University - Open System >> >> 125 Hofstra University >> >> McEwen Hall - Room 208 >> >> Hempstead, NY 11549 >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
