Stephen,
If you want to granularly de-escalate or whitelist this alert, then create
a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml like
this,
somewhere in the sid range 100000-120000, with the agent name in question
substituted for MYAGENT.
<rule id="101234" level="5">
<if_sid>5104</if_sid>
<hostname>MYAGENT</hostname>
<description>Ignore promisc mode events for specific
agent(s)</description>
</rule>
This would drop the severity level of the rule down to 5 for promisc events
involving MYAGENT, hopefully low enough to be below your
<email_alert_level> in ossec.conf so you don't get emailed about it.
Actually 5104 is only a level 8, which would imply your <email_alert_level>
is 8 or lower. I imagine that would email you about a heap of events of
little alert value. You might want to consider bumping up that threshold.
I personally would be deluged with emails even with an <email_alert_level>
value of 10.
Reegards,
Kevin
On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <smlush...@gmail.com>
wrote:
> I do not want to block the whole event or this alert. Is there a way to
> block or whitelist a specific message from this alert. On this server we
> are getting the Interface entered in promiscuous(sniffing) mode for one
> server and a specific network interface.
>
> Can this be done on the agent level. We are basically getting "Oct 27
> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" message -
> we want to stop getting this as a email but still record it on the logs. Is
> there a way to do this.
>
> Else we may have to filter this email.
>
> Stephen LuShing
>
> On Fri, Oct 27, 2017 at 9:09 PM, <alberto.rodrig...@wazuh.com> wrote:
>
>> Hello Stephen
>>
>> I do not know if I understood well, but if you want to disable this
>> alert, you only need to add the following block to your file
>> local_rules.xml
>>
>> <rule id="5104" level="0" overwrite="yes">
>> <if_sid>5100</if_sid>
>> <regex>Promiscuous mode enabled|</regex>
>> <regex>device \S+ entered promiscuous mode</regex>
>> <description>Interface entered in promiscuous(sniffing) mode.
>> </description>
>> <group>promisc,</group>
>> </rule>
>>
>> This block will overwrite the official 5104 rule.
>> If you want to do that, you have to be sure, because you are changing the
>> level value of the event in order to dismiss it. Could be possible that
>> other similar events (i.e. a malicious script which change the network
>> interface to promiscuous mode), then the event will no be registered as an
>> alert too.
>>
>> Hope it helps.
>> Best regards,
>>
>>
>>
>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote:
>>>
>>> We recently been getting the following message from OSSEC:
>>>
>>>
>>>
>>> OSSEC HIDS Notification.
>>>
>>> 2017 Oct 27 09:40:01
>>>
>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages
>>>
>>> Rule: 5104 fired (level 8) -> "Interface entered in
>>> promiscuous(sniffing) mode."
>>>
>>> Portion of the log(s):
>>>
>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode
>>>
>>> --END OF NOTIFICATION
>>>
>>> Question
>>>
>>>
>>>
>>> Is there a way to ignore this message (other that are similar) as we
>>> determine that this is not a issue for the server (It seems like Oracle is
>>> running a process)
>>>
>>>
>>>
>>> If this is possible to whitelist or somehow have OSSEC ignore this
>>> specific warning. If so – where do we code this.
>>>
>>> I am running OSSEC 2.8.1 on the client and server.
>>>
>>>
>>>
>>> Thanks in advance
>>>
>>>
>>>
>>> Stephen LuShing
>>>
>>> Hofstra University - Open System
>>>
>>> 125 Hofstra University
>>>
>>> McEwen Hall - Room 208
>>>
>>> Hempstead, NY 11549
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
