Stephen, If you want to granularly de-escalate or whitelist this alert, then create a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml like this, somewhere in the sid range 100000-120000, with the agent name in question substituted for MYAGENT.
<rule id="101234" level="5"> <if_sid>5104</if_sid> <hostname>MYAGENT</hostname> <description>Ignore promisc mode events for specific agent(s)</description> </rule> This would drop the severity level of the rule down to 5 for promisc events involving MYAGENT, hopefully low enough to be below your <email_alert_level> in ossec.conf so you don't get emailed about it. Actually 5104 is only a level 8, which would imply your <email_alert_level> is 8 or lower. I imagine that would email you about a heap of events of little alert value. You might want to consider bumping up that threshold. I personally would be deluged with emails even with an <email_alert_level> value of 10. Reegards, Kevin On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <smlush...@gmail.com> wrote: > I do not want to block the whole event or this alert. Is there a way to > block or whitelist a specific message from this alert. On this server we > are getting the Interface entered in promiscuous(sniffing) mode for one > server and a specific network interface. > > Can this be done on the agent level. We are basically getting "Oct 27 > 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" message - > we want to stop getting this as a email but still record it on the logs. Is > there a way to do this. > > Else we may have to filter this email. > > Stephen LuShing > > On Fri, Oct 27, 2017 at 9:09 PM, <alberto.rodrig...@wazuh.com> wrote: > >> Hello Stephen >> >> I do not know if I understood well, but if you want to disable this >> alert, you only need to add the following block to your file >> local_rules.xml >> >> <rule id="5104" level="0" overwrite="yes"> >> <if_sid>5100</if_sid> >> <regex>Promiscuous mode enabled|</regex> >> <regex>device \S+ entered promiscuous mode</regex> >> <description>Interface entered in promiscuous(sniffing) mode. >> </description> >> <group>promisc,</group> >> </rule> >> >> This block will overwrite the official 5104 rule. >> If you want to do that, you have to be sure, because you are changing the >> level value of the event in order to dismiss it. Could be possible that >> other similar events (i.e. a malicious script which change the network >> interface to promiscuous mode), then the event will no be registered as an >> alert too. >> >> Hope it helps. >> Best regards, >> >> >> >> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote: >>> >>> We recently been getting the following message from OSSEC: >>> >>> >>> >>> OSSEC HIDS Notification. >>> >>> 2017 Oct 27 09:40:01 >>> >>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >>> >>> Rule: 5104 fired (level 8) -> "Interface entered in >>> promiscuous(sniffing) mode." >>> >>> Portion of the log(s): >>> >>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode >>> >>> --END OF NOTIFICATION >>> >>> Question >>> >>> >>> >>> Is there a way to ignore this message (other that are similar) as we >>> determine that this is not a issue for the server (It seems like Oracle is >>> running a process) >>> >>> >>> >>> If this is possible to whitelist or somehow have OSSEC ignore this >>> specific warning. If so – where do we code this. >>> >>> I am running OSSEC 2.8.1 on the client and server. >>> >>> >>> >>> Thanks in advance >>> >>> >>> >>> Stephen LuShing >>> >>> Hofstra University - Open System >>> >>> 125 Hofstra University >>> >>> McEwen Hall - Room 208 >>> >>> Hempstead, NY 11549 >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.