I am looking for some help regarding a notification I received from OSSEC. The notification is below. I had my UNIX team look into this and basically IBM said that promiscuous mode isn't enabled because we are not using virtual adapters, we use the whole physical adapter per server partition.
Does anyone know why OSSEC would have alerted on this? I'm trying to determine if this is a false positive. ------------------------ Received From: (Server) 1.2.3.4->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Interface 'en0' in promiscuous mode. --END OF NOTIFICATION ----------------------------
