On Thu, Dec 2, 2010 at 4:29 PM, loyd.darby <[email protected]> wrote: > You did not give a lot of detail about your setup but I would trust that the > detector is telling you the truth. > I do not know how ossec checks the actual interface, but it compares that > with the output of ifconfig. > If the device is in promisc mode, but ifconfig does not report it, that is > how it determines that the machine has a rootkit. > Since it did not report a rootkit, type ifconfig with no options and it > should report in promisc mode. > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > > Promiscuous mode can happen on virtual or physical interfaces. > It can also be a transient condition. > Starting up packet capture or network analyzer applications will often put > the interface in promiscuous mode, only while the app is running. > >
It looks like that rule is looking for a syslog message mentioning an interface is in promiscuous mode. > > On 12/02/2010 03:35 PM, spinman wrote: >> >> I am looking for some help regarding a notification I received from >> OSSEC. The notification is below. I had my UNIX team look into this >> and basically IBM said that promiscuous mode isn't enabled because we >> are not using virtual adapters, we use the whole physical adapter per >> server partition. >> >> Does anyone know why OSSEC would have alerted on this? I'm trying to >> determine if this is a false positive. >> >> ------------------------ >> >> Received From: (Server) 1.2.3.4->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> Portion of the log(s): >> >> Interface 'en0' in promiscuous mode. >> >> --END OF NOTIFICATION >> ---------------------------- >> > > -- > R. Loyd Darby, OSSIM-OCSE > Project Manager DOC/NOAA/NMFS > Infrastructure coordinator > Southeast Fisheries Science Center > 305-361-4297 > >
