It looks good with the statement as we not getting large amount of email alerts
Thanks for the help Steve lushing On Thu, Nov 2, 2017 at 11:18 AM, Branch Family <[email protected]> wrote: > Actually, you would need this: > > <hostname>MYAGENT|MYAGENT1|MYAGENT2</hostname> > > Kevin > > On Thu, Nov 2, 2017 at 10:26 AM, Stephen LuShing <[email protected]> > wrote: > >> Question >> >> The rule you provided >> >> <rule id="101234" level="5"> >> <if_sid>5104</if_sid> >> <hostname>MYAGENT</hostname> >> <description>Ignore promisc mode events for specific >> agent(s)</description> >> </rule> >> >> If I have more than 1 server that giving this ,essage will the entry be >> like >> >> <hostname>MYAGENT, MYAGENT1, MYAGENT2</hostname> >> >> or do I copy the same statement fordifferent servers. >> >> >> Thanks in advance >> >> steve lushing >> >> On Tue, Oct 31, 2017 at 10:59 AM, dan (ddp) <[email protected]> wrote: >> >>> On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing <[email protected]> >>> wrote: >>> > Does this child rule go on my main ossec server or on the agent side. >>> - I >>> > still learning OSSEC. >>> > >>> >>> Rules go on the OSSEC manager. >>> >>> > Thanks in advance >>> > >>> > Steve Lushing >>> > >>> > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family <[email protected] >>> > >>> > wrote: >>> >> >>> >> Stephen, >>> >> >>> >> If you want to granularly de-escalate or whitelist this alert, then >>> create >>> >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml >>> like this, >>> >> somewhere in the sid range 100000-120000, with the agent name in >>> question >>> >> substituted for MYAGENT. >>> >> >>> >> <rule id="101234" level="5"> >>> >> <if_sid>5104</if_sid> >>> >> <hostname>MYAGENT</hostname> >>> >> <description>Ignore promisc mode events for specific >>> >> agent(s)</description> >>> >> </rule> >>> >> >>> >> This would drop the severity level of the rule down to 5 for promisc >>> >> events involving MYAGENT, hopefully low enough to be below your >>> >> <email_alert_level> in ossec.conf so you don't get emailed about it. >>> >> Actually 5104 is only a level 8, which would imply your >>> <email_alert_level> >>> >> is 8 or lower. I imagine that would email you about a heap of events >>> of >>> >> little alert value. You might want to consider bumping up that >>> threshold. >>> >> I personally would be deluged with emails even with an >>> <email_alert_level> >>> >> value of 10. >>> >> >>> >> Reegards, >>> >> Kevin >>> >> >>> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing < >>> [email protected]> >>> >> wrote: >>> >>> >>> >>> I do not want to block the whole event or this alert. Is there a way >>> to >>> >>> block or whitelist a specific message from this alert. On this >>> server we are >>> >>> getting the Interface entered in promiscuous(sniffing) mode for one >>> server >>> >>> and a specific network interface. >>> >>> >>> >>> Can this be done on the agent level. We are basically getting "Oct 27 >>> >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" >>> message - >>> >>> we want to stop getting this as a email but still record it on the >>> logs. Is >>> >>> there a way to do this. >>> >>> >>> >>> Else we may have to filter this email. >>> >>> >>> >>> Stephen LuShing >>> >>> >>> >>> On Fri, Oct 27, 2017 at 9:09 PM, <[email protected]> >>> wrote: >>> >>>> >>> >>>> Hello Stephen >>> >>>> >>> >>>> I do not know if I understood well, but if you want to disable >>> this >>> >>>> alert, you only need to add the following block to your file >>> local_rules.xml >>> >>>> >>> >>>> <rule id="5104" level="0" overwrite="yes"> >>> >>>> <if_sid>5100</if_sid> >>> >>>> <regex>Promiscuous mode enabled|</regex> >>> >>>> <regex>device \S+ entered promiscuous mode</regex> >>> >>>> <description>Interface entered in promiscuous(sniffing) >>> >>>> mode.</description> >>> >>>> <group>promisc,</group> >>> >>>> </rule> >>> >>>> >>> >>>> This block will overwrite the official 5104 rule. >>> >>>> If you want to do that, you have to be sure, because you are >>> changing >>> >>>> the level value of the event in order to dismiss it. Could be >>> possible that >>> >>>> other similar events (i.e. a malicious script which change the >>> network >>> >>>> interface to promiscuous mode), then the event will no be >>> registered as an >>> >>>> alert too. >>> >>>> >>> >>>> Hope it helps. >>> >>>> Best regards, >>> >>>> >>> >>>> >>> >>>> >>> >>>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing >>> wrote: >>> >>>>> >>> >>>>> We recently been getting the following message from OSSEC: >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> OSSEC HIDS Notification. >>> >>>>> >>> >>>>> 2017 Oct 27 09:40:01 >>> >>>>> >>> >>>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >>> >>>>> >>> >>>>> Rule: 5104 fired (level 8) -> "Interface entered in >>> >>>>> promiscuous(sniffing) mode." >>> >>>>> >>> >>>>> Portion of the log(s): >>> >>>>> >>> >>>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous >>> mode >>> >>>>> >>> >>>>> --END OF NOTIFICATION >>> >>>>> >>> >>>>> Question >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> Is there a way to ignore this message (other that are similar) as >>> we >>> >>>>> determine that this is not a issue for the server (It seems like >>> Oracle is >>> >>>>> running a process) >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> If this is possible to whitelist or somehow have OSSEC ignore this >>> >>>>> specific warning. If so – where do we code this. >>> >>>>> >>> >>>>> I am running OSSEC 2.8.1 on the client and server. >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> Thanks in advance >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> Stephen LuShing >>> >>>>> >>> >>>>> Hofstra University - Open System >>> >>>>> >>> >>>>> 125 Hofstra University >>> >>>>> >>> >>>>> McEwen Hall - Room 208 >>> >>>>> >>> >>>>> Hempstead, NY 11549 >>> >>>> >>> >>>> -- >>> >>>> >>> >>>> --- >>> >>>> You received this message because you are subscribed to the Google >>> >>>> Groups "ossec-list" group. >>> >>>> To unsubscribe from this group and stop receiving emails from it, >>> send >>> >>>> an email to [email protected]. >>> >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> Groups >>> >>> "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> >>> email to [email protected]. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> >> email to [email protected]. >>> >> For more options, visit https://groups.google.com/d/optout. >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
