Does this child rule go on my main ossec server or on the agent side. - I still learning OSSEC.
Thanks in advance Steve Lushing On Mon, Oct 30, 2017 at 11:43 AM, Branch Family <[email protected]> wrote: > Stephen, > > If you want to granularly de-escalate or whitelist this alert, then create > a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml like > this, > somewhere in the sid range 100000-120000, with the agent name in question > substituted for MYAGENT. > > <rule id="101234" level="5"> > <if_sid>5104</if_sid> > <hostname>MYAGENT</hostname> > <description>Ignore promisc mode events for specific > agent(s)</description> > </rule> > > This would drop the severity level of the rule down to 5 for promisc > events involving MYAGENT, hopefully low enough to be below your > <email_alert_level> in ossec.conf so you don't get emailed about it. > Actually 5104 is only a level 8, which would imply your <email_alert_level> > is 8 or lower. I imagine that would email you about a heap of events of > little alert value. You might want to consider bumping up that threshold. > I personally would be deluged with emails even with an <email_alert_level> > value of 10. > > Reegards, > Kevin > > On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <[email protected]> > wrote: > >> I do not want to block the whole event or this alert. Is there a way to >> block or whitelist a specific message from this alert. On this server we >> are getting the Interface entered in promiscuous(sniffing) mode for one >> server and a specific network interface. >> >> Can this be done on the agent level. We are basically getting "Oct 27 >> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" message - >> we want to stop getting this as a email but still record it on the logs. Is >> there a way to do this. >> >> Else we may have to filter this email. >> >> Stephen LuShing >> >> On Fri, Oct 27, 2017 at 9:09 PM, <[email protected]> wrote: >> >>> Hello Stephen >>> >>> I do not know if I understood well, but if you want to disable this >>> alert, you only need to add the following block to your file >>> local_rules.xml >>> >>> <rule id="5104" level="0" overwrite="yes"> >>> <if_sid>5100</if_sid> >>> <regex>Promiscuous mode enabled|</regex> >>> <regex>device \S+ entered promiscuous mode</regex> >>> <description>Interface entered in promiscuous(sniffing) mode. >>> </description> >>> <group>promisc,</group> >>> </rule> >>> >>> This block will overwrite the official 5104 rule. >>> If you want to do that, you have to be sure, because you are changing >>> the level value of the event in order to dismiss it. Could be possible that >>> other similar events (i.e. a malicious script which change the network >>> interface to promiscuous mode), then the event will no be registered as an >>> alert too. >>> >>> Hope it helps. >>> Best regards, >>> >>> >>> >>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote: >>>> >>>> We recently been getting the following message from OSSEC: >>>> >>>> >>>> >>>> OSSEC HIDS Notification. >>>> >>>> 2017 Oct 27 09:40:01 >>>> >>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >>>> >>>> Rule: 5104 fired (level 8) -> "Interface entered in >>>> promiscuous(sniffing) mode." >>>> >>>> Portion of the log(s): >>>> >>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode >>>> >>>> --END OF NOTIFICATION >>>> >>>> Question >>>> >>>> >>>> >>>> Is there a way to ignore this message (other that are similar) as we >>>> determine that this is not a issue for the server (It seems like Oracle is >>>> running a process) >>>> >>>> >>>> >>>> If this is possible to whitelist or somehow have OSSEC ignore this >>>> specific warning. If so – where do we code this. >>>> >>>> I am running OSSEC 2.8.1 on the client and server. >>>> >>>> >>>> >>>> Thanks in advance >>>> >>>> >>>> >>>> Stephen LuShing >>>> >>>> Hofstra University - Open System >>>> >>>> 125 Hofstra University >>>> >>>> McEwen Hall - Room 208 >>>> >>>> Hempstead, NY 11549 >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
