Can you post the output of 'ifconfig en0' (obfuscating IPs and whatnot)? I'm not sure if your OS (AIX?) puts information like promiscuous mode in the ifconfig output, but it's worth a shot. Also check the logs to see if there was a notice of the adapter going into promisc mode or something.
On Thu, Dec 2, 2010 at 3:35 PM, spinman <[email protected]> wrote: > I am looking for some help regarding a notification I received from > OSSEC. The notification is below. I had my UNIX team look into this > and basically IBM said that promiscuous mode isn't enabled because we > are not using virtual adapters, we use the whole physical adapter per > server partition. > > Does anyone know why OSSEC would have alerted on this? I'm trying to > determine if this is a false positive. > > ------------------------ > > Received From: (Server) 1.2.3.4->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Interface 'en0' in promiscuous mode. > > --END OF NOTIFICATION > ----------------------------
