Hello,
Greetings!
I have came across a situation where one of my Wazuh Agent is generating infinite logs in /var/log/messages
& /var/log/audit.log
& sending to the Manager.
When checked it has docker running and due to which there are countless logs as :
1> Auditd: Device enables promiscuous mode.
2> Interface entered in promiscuous(sniffing) mode.
After googling, came to know that this is a normal behavior when docker is installed.
My query here is, Do I get option anywhere under agent configuration to limit or completely ignore these alert? I learnt that it is possible with setting up a custom ruleset under Manager.
Request you to please guide me here.
Thanks,
swapnils
Hello Openime,
I created a following file referring to the default rules. But I could see that it has not been in an effect. Could you please advise what has went wrong here?
# ls -l /var/ossec/etc/rules/custom-rule.xml
-rw-rw---- 1 wazuh wazuh 1733 Dec 5 14:09 /var/ossec/etc/rules/custom-rule.xml
File contains -
# cat custom-rule.xml
<!-- From SYSLOG FILE -->
<group name="syslog,linuxkernel,">
<rule id="5100" level="0" noalert="1">
<program_name>^kernel</program_name>
<description>Pre-match rule for kernel messages.</description>
</rule>
<rule id="5104" level="8" timeframe="10800" ignore="3600" overwrite="yes">
<if_sid>5100</if_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<description>Interface entered in promiscuous(sniffing) mode.</description>
<mitre>
<id>T1040</id>
</mitre>
<group>promisc,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
</group>
<!-- From AUDIT FILE -->
<group name="audit,">
<rule id="80700" level="0">
<decoded_as>auditd</decoded_as>
<description>Audit: Messages grouped.</description>
</rule>
<rule id="80710" level="10" timeframe="10800" ignore="3600" overwrite="yes">
<if_sid>80700</if_sid>
<field name="audit.type">ANOM_PROMISCUOUS</field>
<match>prom=256</match>
<description>Auditd: Device enables promiscuous mode.</description>
<group>audit_anom,gdpr_IV_30.1.g,gdpr_IV_35.7.d,gpg13_4.14,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,pci_dss_10.6.1,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Thanks & Regards,
swapnils
Hi.. Thank you for the help!
I thought overwrite
parameter will do the job. I shall get it checked and update you.
Regards,