[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

does chkrootkit properly detect a promisc interface?

While doing some normal system maintenance on a box of mine that primarily 
runs snort as an ids, I ran chkrootkit which ran cleanly, reporting nothing 
out of the ordinary. Normally this is a good thing, but then I got to 
thinking that if I am running snort, than I am in promiscuous mode and 
chkrootkit should report so. So, what I've found is:
	chkrootkit runs /usr/lib/chkrootkit/ifpromisc to determine if an interface is 
in promisc mode.

	If I run snort or tcpdump, i receive a message in my kernel log stating that 
the interface become promisc (device eth0 entered promiscuous mode) 
however, /usr/lib/chkrootkit/ifpromisc does not report this.

	If I 'ifconfig eth0 promisc' then /usr/lib/chkrootkit/ifpromisc does report 
that the interface is in promiscuous mode. 

	So, either I'm misunderstanding promiscuous mode, or /usr/lib/chkrootkit/
ifpromisc isn't doing it's job. Can anyone shed light on this?

Reply to: