does chkrootkit properly detect a promisc interface?

To: debian-security@lists.debian.org
Subject: does chkrootkit properly detect a promisc interface?
From: Jordan Lederman <jlederma@advance.net>
Date: Wed, 17 Dec 2003 18:00:32 -0500
Message-id: <[🔎] 200312171800.32299.jlederma@advance.net>

While doing some normal system maintenance on a box of mine that primarily 
runs snort as an ids, I ran chkrootkit which ran cleanly, reporting nothing 
out of the ordinary. Normally this is a good thing, but then I got to 
thinking that if I am running snort, than I am in promiscuous mode and 
chkrootkit should report so. So, what I've found is:
	chkrootkit runs /usr/lib/chkrootkit/ifpromisc to determine if an interface is 
in promisc mode.

	If I run snort or tcpdump, i receive a message in my kernel log stating that 
the interface become promisc (device eth0 entered promiscuous mode) 
however, /usr/lib/chkrootkit/ifpromisc does not report this.

	If I 'ifconfig eth0 promisc' then /usr/lib/chkrootkit/ifpromisc does report 
that the interface is in promiscuous mode. 

	So, either I'm misunderstanding promiscuous mode, or /usr/lib/chkrootkit/
ifpromisc isn't doing it's job. Can anyone shed light on this?
 			
			--jordan

Reply to:

Follow-Ups:
- Re: does chkrootkit properly detect a promisc interface?
  - From: "s. keeling" <keeling@spots.ab.ca>

Prev by Date: unsuscribe
Next by Date: Re: does chkrootkit properly detect a promisc interface?
Previous by thread: unsuscribe
Next by thread: Re: does chkrootkit properly detect a promisc interface?
Index(es):
- Date
- Thread