Hi Kelly, On Tue, Mar 1, 2011 at 1:37 PM, Kelly Fitzgerald <[email protected]> wrote: > let me reword this, and the OP can correct if i have hijacked his thread. > > i would be interested in seeing if ossec can detect masquerader-type > attacks from the diffident appliances , such as a router... i think > ssh would be easier cause you have the RSA keys that will change on > the source, unless it is only a listener, then not so much. > > this seems to be more of a application issue though... so i am not > sure if ossec could detect a specific occurring instance, or even if a > specific occurrence would warrant a agent based rule to be set, since > it would be almost too finite and granular. > > can ossec do detection of promiscuous network anomalies? my guess is > only if it has a "fingerprint" or checksum comparison in a log > somewhere. > > thoughts? >
OSSEC can discover promiscuous interfaces on an agent. Other than that, there would need to be some application that detects the anomaly and reports it in a way OSSEC can understand.
