[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I 
> don't think I ever got Snort to work right... :-) 

Are you sure that's not a bug in chkrootkit (false negative)? I introduced 
a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling 
properly the situation in linux 2.4 and up. From the CVS:

"This only concerns Linux and kernel version 2.4 and up.
The ancient "problem" with promiscuous mode detection lies in the fact the
SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by
ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet
applications use setsockopt's MR_PACKET_PROMISC which is a counter. This
counter cannot be read by ifconfig nor ifpromisc. The only viable
alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's
"iproute2" package."

It seems that chkrookit (since 0.42b-1) fixed this, from the changelog:
 * ifpromisc now parses /proc/net/packet so that it can provide better
    diagnostics. (forwarded patch upstream) (closes: #214990)

But you would not see that if you are running stable (no backports) and 
linux 2.4

Just FYI




Attachment: signature.asc
Description: Digital signature

Reply to: