On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
>
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I
> don't think I ever got Snort to work right... :-)
Are you sure that's not a bug in chkrootkit (false negative)? I introduced
a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling
properly the situation in linux 2.4 and up. From the CVS:
"This only concerns Linux and kernel version 2.4 and up.
The ancient "problem" with promiscuous mode detection lies in the fact the
SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by
ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet
applications use setsockopt's MR_PACKET_PROMISC which is a counter. This
counter cannot be read by ifconfig nor ifpromisc. The only viable
alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's
"iproute2" package."
It seems that chkrookit (since 0.42b-1) fixed this, from the changelog:
* ifpromisc now parses /proc/net/packet so that it can provide better
diagnostics. (forwarded patch upstream) (closes: #214990)
But you would not see that if you are running stable (no backports) and
linux 2.4
Just FYI
Regards
Javier
[1]
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known
Attachment:
signature.asc
Description: Digital signature