You did not give a lot of detail about your setup but I would trust that
the detector is telling you the truth.
I do not know how ossec checks the actual interface, but it compares
that with the output of ifconfig.
If the device is in promisc mode, but ifconfig does not report it, that
is how it determines that the machine has a rootkit.
Since it did not report a rootkit, type ifconfig with no options and it
should report in promisc mode.
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
Promiscuous mode can happen on virtual or physical interfaces.
It can also be a transient condition.
Starting up packet capture or network analyzer applications will often
put the interface in promiscuous mode, only while the app is running.
On 12/02/2010 03:35 PM, spinman wrote:
I am looking for some help regarding a notification I received from
OSSEC. The notification is below. I had my UNIX team look into this
and basically IBM said that promiscuous mode isn't enabled because we
are not using virtual adapters, we use the whole physical adapter per
server partition.
Does anyone know why OSSEC would have alerted on this? I'm trying to
determine if this is a false positive.
------------------------
Received From: (Server) 1.2.3.4->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
Interface 'en0' in promiscuous mode.
--END OF NOTIFICATION
----------------------------
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
