Ossec and nagios?

87 views
Skip to first unread message

Dennis Borkhus-Veto

unread,
Oct 12, 2006, 7:12:50 PM10/12/06
to ossec...@ossec.net
I have been working on setting up a program called nagios on the same server as ossec and now I recdieved the folllowing error and am not sure if it is related.

OSSEC HIDS Notification.
2006 Oct 12 11:58:27

Received From: HULK->/Raid/Log/messages
Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) mode."
Portion of the log(s):

kernel: device eth0 entered promiscuous mode


Dennis

Meir Michanie

unread,
Oct 12, 2006, 7:46:43 PM10/12/06
to ossec...@googlegroups.com
that could be related to snort, it is not related to nagios for sure.

Brian Avis

unread,
Oct 12, 2006, 7:49:54 PM10/12/06
to ossec...@googlegroups.com
I got the same message running etherape on my Linux box. I would guess
that any sniffer would cause the same output.

--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
Have a nice diurnal anomaly!

Dennis Borkhus-Veto

unread,
Oct 12, 2006, 7:56:04 PM10/12/06
to ossec...@googlegroups.com
Yes but I don,t have snort on it.

Ken A

unread,
Oct 12, 2006, 7:59:24 PM10/12/06
to ossec...@googlegroups.com, ossec...@ossec.net
something used libpcap (tcpdump, ethereal, etc..) on that box.
Ken A

Dennis Borkhus-Veto

unread,
Oct 12, 2006, 7:58:06 PM10/12/06
to ossec...@googlegroups.com
Would the tcpdump command?

-----Original Message-----
From: ossec...@googlegroups.com <ossec...@googlegroups.com>
To: ossec...@googlegroups.com <ossec...@googlegroups.com>
Sent: Thu Oct 12 18:49:54 2006
Subject: [ossec-list] Re: Ossec and nagios?


I got the same message running etherape on my Linux box. I would guess
that any sniffer would cause the same output.



Meir Michanie wrote:
> that could be related to snort, it is not related to nagios for sure.
>
>
> On 10/13/06, Dennis Borkhus-Veto <dbv...@meelift.com> wrote:
>>
>> I have been working on setting up a program called nagios on the same
>> server as ossec and now I recdieved the folllowing error and am not
>> sure if
>> it is related.
>>
>> OSSEC HIDS Notification.
>> 2006 Oct 12 11:58:27
>>
>> Received From: HULK->/Raid/Log/messages
>> Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing)
>> mode."
>> Portion of the log(s):
>>
>> kernel: device eth0 entered promiscuous mode
>>
>>
>> Dennis
>>
>

Nick Baronian

unread,
Oct 12, 2006, 9:04:09 PM10/12/06
to ossec...@googlegroups.com
Yes tcpdump depends on libpcap. You need libpcap if you have tcpdump
(and most other sniffers like snort, ethereal).

Jeremy Melanson

unread,
Oct 12, 2006, 9:38:53 PM10/12/06
to ossec...@googlegroups.com, ossec...@ossec.net
If it's not tcpdump or some other libpcap application... Is the machine
configured for DHCP?

-----
Jeremy

-----Original Message-----
From: Dennis Borkhus-Veto [mailto:dbv...@meelift.com]
Sent: Thursday, October 12, 2006 7:13 PM
To: ossec...@ossec.net
Subject: [ossec-list] Ossec and nagios?

I have been working on setting up a program called nagios on the same server
as ossec and now I recdieved the folllowing error and am not sure if it is
related.

OSSEC HIDS Notification.
2006 Oct 12 11:58:27

Received From: HULK->/Raid/Log/messages
Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing)
mode."
Portion of the log(s):

kernel: device eth0 entered promiscuous mode


Dennis

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Jeremy Melanson

unread,
Oct 12, 2006, 9:41:46 PM10/12/06
to ossec...@googlegroups.com, ossec...@ossec.net
I forgot to mention, if the machine is configured to get it's address from a
DHCP server, then it's OK to ignore the alert.
Reply all
Reply to author
Forward
0 new messages