does chkrootkit properly detect a promisc interface?
While doing some normal system maintenance on a box of mine that primarily
runs snort as an ids, I ran chkrootkit which ran cleanly, reporting nothing
out of the ordinary. Normally this is a good thing, but then I got to
thinking that if I am running snort, than I am in promiscuous mode and
chkrootkit should report so. So, what I've found is:
chkrootkit runs /usr/lib/chkrootkit/ifpromisc to determine if an interface is
in promisc mode.
If I run snort or tcpdump, i receive a message in my kernel log stating that
the interface become promisc (device eth0 entered promiscuous mode)
however, /usr/lib/chkrootkit/ifpromisc does not report this.
If I 'ifconfig eth0 promisc' then /usr/lib/chkrootkit/ifpromisc does report
that the interface is in promiscuous mode.
So, either I'm misunderstanding promiscuous mode, or /usr/lib/chkrootkit/
ifpromisc isn't doing it's job. Can anyone shed light on this?