On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing <smlush...@gmail.com> wrote: > Does this child rule go on my main ossec server or on the agent side. - I > still learning OSSEC. >
Rules go on the OSSEC manager. > Thanks in advance > > Steve Lushing > > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family <branchbu...@gmail.com> > wrote: >> >> Stephen, >> >> If you want to granularly de-escalate or whitelist this alert, then create >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml like this, >> somewhere in the sid range 100000-120000, with the agent name in question >> substituted for MYAGENT. >> >> <rule id="101234" level="5"> >> <if_sid>5104</if_sid> >> <hostname>MYAGENT</hostname> >> <description>Ignore promisc mode events for specific >> agent(s)</description> >> </rule> >> >> This would drop the severity level of the rule down to 5 for promisc >> events involving MYAGENT, hopefully low enough to be below your >> <email_alert_level> in ossec.conf so you don't get emailed about it. >> Actually 5104 is only a level 8, which would imply your <email_alert_level> >> is 8 or lower. I imagine that would email you about a heap of events of >> little alert value. You might want to consider bumping up that threshold. >> I personally would be deluged with emails even with an <email_alert_level> >> value of 10. >> >> Reegards, >> Kevin >> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <smlush...@gmail.com> >> wrote: >>> >>> I do not want to block the whole event or this alert. Is there a way to >>> block or whitelist a specific message from this alert. On this server we are >>> getting the Interface entered in promiscuous(sniffing) mode for one server >>> and a specific network interface. >>> >>> Can this be done on the agent level. We are basically getting "Oct 27 >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" message - >>> we want to stop getting this as a email but still record it on the logs. Is >>> there a way to do this. >>> >>> Else we may have to filter this email. >>> >>> Stephen LuShing >>> >>> On Fri, Oct 27, 2017 at 9:09 PM, <alberto.rodrig...@wazuh.com> wrote: >>>> >>>> Hello Stephen >>>> >>>> I do not know if I understood well, but if you want to disable this >>>> alert, you only need to add the following block to your file >>>> local_rules.xml >>>> >>>> <rule id="5104" level="0" overwrite="yes"> >>>> <if_sid>5100</if_sid> >>>> <regex>Promiscuous mode enabled|</regex> >>>> <regex>device \S+ entered promiscuous mode</regex> >>>> <description>Interface entered in promiscuous(sniffing) >>>> mode.</description> >>>> <group>promisc,</group> >>>> </rule> >>>> >>>> This block will overwrite the official 5104 rule. >>>> If you want to do that, you have to be sure, because you are changing >>>> the level value of the event in order to dismiss it. Could be possible that >>>> other similar events (i.e. a malicious script which change the network >>>> interface to promiscuous mode), then the event will no be registered as an >>>> alert too. >>>> >>>> Hope it helps. >>>> Best regards, >>>> >>>> >>>> >>>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote: >>>>> >>>>> We recently been getting the following message from OSSEC: >>>>> >>>>> >>>>> >>>>> OSSEC HIDS Notification. >>>>> >>>>> 2017 Oct 27 09:40:01 >>>>> >>>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >>>>> >>>>> Rule: 5104 fired (level 8) -> "Interface entered in >>>>> promiscuous(sniffing) mode." >>>>> >>>>> Portion of the log(s): >>>>> >>>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode >>>>> >>>>> --END OF NOTIFICATION >>>>> >>>>> Question >>>>> >>>>> >>>>> >>>>> Is there a way to ignore this message (other that are similar) as we >>>>> determine that this is not a issue for the server (It seems like Oracle is >>>>> running a process) >>>>> >>>>> >>>>> >>>>> If this is possible to whitelist or somehow have OSSEC ignore this >>>>> specific warning. If so – where do we code this. >>>>> >>>>> I am running OSSEC 2.8.1 on the client and server. >>>>> >>>>> >>>>> >>>>> Thanks in advance >>>>> >>>>> >>>>> >>>>> Stephen LuShing >>>>> >>>>> Hofstra University - Open System >>>>> >>>>> 125 Hofstra University >>>>> >>>>> McEwen Hall - Room 208 >>>>> >>>>> Hempstead, NY 11549 >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+unsubscr...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.