Question
The rule you provided
<rule id="101234" level="5">
<if_sid>5104</if_sid>
<hostname>MYAGENT</hostname>
<description>Ignore promisc mode events for specific
agent(s)</description>
</rule>
If I have more than 1 server that giving this ,essage will the entry be like
<hostname>MYAGENT, MYAGENT1, MYAGENT2</hostname>
or do I copy the same statement fordifferent servers.
Thanks in advance
steve lushing
On Tue, Oct 31, 2017 at 10:59 AM, dan (ddp) <[email protected]> wrote:
> On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing <[email protected]>
> wrote:
> > Does this child rule go on my main ossec server or on the agent side. - I
> > still learning OSSEC.
> >
>
> Rules go on the OSSEC manager.
>
> > Thanks in advance
> >
> > Steve Lushing
> >
> > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family <[email protected]>
> > wrote:
> >>
> >> Stephen,
> >>
> >> If you want to granularly de-escalate or whitelist this alert, then
> create
> >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml like
> this,
> >> somewhere in the sid range 100000-120000, with the agent name in
> question
> >> substituted for MYAGENT.
> >>
> >> <rule id="101234" level="5">
> >> <if_sid>5104</if_sid>
> >> <hostname>MYAGENT</hostname>
> >> <description>Ignore promisc mode events for specific
> >> agent(s)</description>
> >> </rule>
> >>
> >> This would drop the severity level of the rule down to 5 for promisc
> >> events involving MYAGENT, hopefully low enough to be below your
> >> <email_alert_level> in ossec.conf so you don't get emailed about it.
> >> Actually 5104 is only a level 8, which would imply your
> <email_alert_level>
> >> is 8 or lower. I imagine that would email you about a heap of events of
> >> little alert value. You might want to consider bumping up that
> threshold.
> >> I personally would be deluged with emails even with an
> <email_alert_level>
> >> value of 10.
> >>
> >> Reegards,
> >> Kevin
> >>
> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <[email protected]>
> >> wrote:
> >>>
> >>> I do not want to block the whole event or this alert. Is there a way to
> >>> block or whitelist a specific message from this alert. On this server
> we are
> >>> getting the Interface entered in promiscuous(sniffing) mode for one
> server
> >>> and a specific network interface.
> >>>
> >>> Can this be done on the agent level. We are basically getting "Oct 27
> >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode"
> message -
> >>> we want to stop getting this as a email but still record it on the
> logs. Is
> >>> there a way to do this.
> >>>
> >>> Else we may have to filter this email.
> >>>
> >>> Stephen LuShing
> >>>
> >>> On Fri, Oct 27, 2017 at 9:09 PM, <[email protected]> wrote:
> >>>>
> >>>> Hello Stephen
> >>>>
> >>>> I do not know if I understood well, but if you want to disable this
> >>>> alert, you only need to add the following block to your file
> local_rules.xml
> >>>>
> >>>> <rule id="5104" level="0" overwrite="yes">
> >>>> <if_sid>5100</if_sid>
> >>>> <regex>Promiscuous mode enabled|</regex>
> >>>> <regex>device \S+ entered promiscuous mode</regex>
> >>>> <description>Interface entered in promiscuous(sniffing)
> >>>> mode.</description>
> >>>> <group>promisc,</group>
> >>>> </rule>
> >>>>
> >>>> This block will overwrite the official 5104 rule.
> >>>> If you want to do that, you have to be sure, because you are changing
> >>>> the level value of the event in order to dismiss it. Could be
> possible that
> >>>> other similar events (i.e. a malicious script which change the network
> >>>> interface to promiscuous mode), then the event will no be registered
> as an
> >>>> alert too.
> >>>>
> >>>> Hope it helps.
> >>>> Best regards,
> >>>>
> >>>>
> >>>>
> >>>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing
> wrote:
> >>>>>
> >>>>> We recently been getting the following message from OSSEC:
> >>>>>
> >>>>>
> >>>>>
> >>>>> OSSEC HIDS Notification.
> >>>>>
> >>>>> 2017 Oct 27 09:40:01
> >>>>>
> >>>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages
> >>>>>
> >>>>> Rule: 5104 fired (level 8) -> "Interface entered in
> >>>>> promiscuous(sniffing) mode."
> >>>>>
> >>>>> Portion of the log(s):
> >>>>>
> >>>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous
> mode
> >>>>>
> >>>>> --END OF NOTIFICATION
> >>>>>
> >>>>> Question
> >>>>>
> >>>>>
> >>>>>
> >>>>> Is there a way to ignore this message (other that are similar) as we
> >>>>> determine that this is not a issue for the server (It seems like
> Oracle is
> >>>>> running a process)
> >>>>>
> >>>>>
> >>>>>
> >>>>> If this is possible to whitelist or somehow have OSSEC ignore this
> >>>>> specific warning. If so – where do we code this.
> >>>>>
> >>>>> I am running OSSEC 2.8.1 on the client and server.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Thanks in advance
> >>>>>
> >>>>>
> >>>>>
> >>>>> Stephen LuShing
> >>>>>
> >>>>> Hofstra University - Open System
> >>>>>
> >>>>> 125 Hofstra University
> >>>>>
> >>>>> McEwen Hall - Room 208
> >>>>>
> >>>>> Hempstead, NY 11549
> >>>>
> >>>> --
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "ossec-list" group.
> >>>> To unsubscribe from this group and stop receiving emails from it, send
> >>>> an email to [email protected].
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to [email protected].
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to [email protected].
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
