promiscuous mode frequency
40 views
Skip to first unread message
Chinmay Pandya
Apr 19, 2018, 5:04:39 AM4/19/18
to ossec-list
Hi all
I need to modify a rule "5104 - Interface entered in promiscuous(sniffing) mode."
Once a day , all of the boxes will go into promiscuous mode. Time when they enter into this mode is random.
I want to create a rule that in a day, if interface enters more then 1 in promiscuous mode then create alert else reduce level to 0.
Thanks in advance.
I need to modify a rule "5104 - Interface entered in promiscuous(sniffing) mode."
Once a day , all of the boxes will go into promiscuous mode. Time when they enter into this mode is random.
I want to create a rule that in a day, if interface enters more then 1 in promiscuous mode then create alert else reduce level to 0.
Thanks in advance.
_____________________________________________________________
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Bruce Westbrook
Apr 19, 2018, 9:01:46 AM4/19/18
to ossec-list
First a comment. You can't drop a rule to a 0 to accomplish this as you'll lose all tracking for it and won't be able to use it for any sort of count. You have to at least set it at level 1. You can, however, choose not to actually log it if you prefer.
Presuming you want this universally, you can overwrite that rule as a composite rule (using your local_rules.xml) that checks for two occurrences from the same host within a 24-hour period. I've not tested this but something like this:
<rule id="5104" level="8" timeframe="86400" frequency="2" overwrite="yes">
<if_matched_sid>5100</if_matched_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<same_source_ip />
<description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.</description>
<group>promisc,</group>
</rule>If you still want to alert on single instances for other servers but two instances for this particular group of servers, then you'll instead want to create a set of custom rules. First match on the promisc rule and the servers you're focused on, log but don't send an email. I've found that I need to keep the level at the same or higher than the rule I'm matching on, else it won't trigger (I still don't have a great handle on how OSSEC determines the order it applies rules, as my real-world testing doesn't line up with what's documented, but I believe the levels are part of the logic). Then use a second rule that matches the first but only 2x in a 24-hour period.
Again, untested but something like this:
<rule id="100300" level="8">
<if_matched_sid>5104</if_matched_sid>
<hostname>HOST01|HOST02|host03|host04</hostname>
<options>no_email_alert</options>
<description>Interface entered in promiscuous(sniffing) mode.</description>
<group>promisc,</group>
</rule>
<rule id="100301" level="8" timeframe="86400" frequency="2">
<if_matched_sid>100300</if_matched_sid>
<same_source_ip />
<description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.</description>
<group>promisc,</group>
</rule>
This is how I'd approach it. Others may have different / better ideas.
- Bruce
Chinmay Pandya
Apr 23, 2018, 3:17:38 AM4/23/18
to ossec-list
Hi Bruce
Thanks for the reply
As per ossec documentations for the frequency option "Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting."
So, in below overwrite, if i set frequency as 2 , will not it be 4th instance which will trigger the alert ? Because I want that 2nd instance must trigger the alert.
Thanks for the reply
As per ossec documentations for the frequency option "Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting."
So, in below overwrite, if i set frequency as 2 , will not it be 4th instance which will trigger the alert ? Because I want that 2nd instance must trigger the alert.
<rule id="5104" level="8" timeframe="86400" frequency="2" overwrite="yes">
<if_matched_sid>5100</if_matched_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<same_source_ip />
<description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.</description>
<group>promisc,</group>
</rule>Bruce Westbrook
Apr 24, 2018, 10:20:54 AM4/24/18
to ossec-list
Good point, I've stumbled over that before but I don't have any triggers myself that are set that low. I believe you are correct, which raises the question on how to match on only 2? I don't have the answer to that, unless setting it to zero actually works.
Maybe someone else understands that setting better than I and can speak up.
Reply all
Reply to author
Forward
0 new messages