I get this when I fire up Snort. I'd say it's a true positive. Sent from my iPhone
On Dec 2, 2010, at 15:13, "dan (ddp)" <[email protected]> wrote: > On Thu, Dec 2, 2010 at 4:29 PM, loyd.darby <[email protected]> wrote: >> You did not give a lot of detail about your setup but I would trust that the >> detector is telling you the truth. >> I do not know how ossec checks the actual interface, but it compares that >> with the output of ifconfig. >> If the device is in promisc mode, but ifconfig does not report it, that is >> how it determines that the machine has a rootkit. >> Since it did not report a rootkit, type ifconfig with no options and it >> should report in promisc mode. >> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 >> >> Promiscuous mode can happen on virtual or physical interfaces. >> It can also be a transient condition. >> Starting up packet capture or network analyzer applications will often put >> the interface in promiscuous mode, only while the app is running. >> >> > > It looks like that rule is looking for a syslog message mentioning an > interface is in promiscuous mode. > >> >> On 12/02/2010 03:35 PM, spinman wrote: >>> >>> I am looking for some help regarding a notification I received from >>> OSSEC. The notification is below. I had my UNIX team look into this >>> and basically IBM said that promiscuous mode isn't enabled because we >>> are not using virtual adapters, we use the whole physical adapter per >>> server partition. >>> >>> Does anyone know why OSSEC would have alerted on this? I'm trying to >>> determine if this is a false positive. >>> >>> ------------------------ >>> >>> Received From: (Server) 1.2.3.4->rootcheck >>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >>> (rootcheck)." >>> Portion of the log(s): >>> >>> Interface 'en0' in promiscuous mode. >>> >>> --END OF NOTIFICATION >>> ---------------------------- >>> >> >> -- >> R. Loyd Darby, OSSIM-OCSE >> Project Manager DOC/NOAA/NMFS >> Infrastructure coordinator >> Southeast Fisheries Science Center >> 305-361-4297 >> >>
