On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: > > Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I > don't think I ever got Snort to work right... :-)
Are you sure that's not a bug in chkrootkit (false negative)? I introduced a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling properly the situation in linux 2.4 and up. From the CVS: "This only concerns Linux and kernel version 2.4 and up. The ancient "problem" with promiscuous mode detection lies in the fact the SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet applications use setsockopt's MR_PACKET_PROMISC which is a counter. This counter cannot be read by ifconfig nor ifpromisc. The only viable alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's "iproute2" package." It seems that chkrookit (since 0.42b-1) fixed this, from the changelog: * ifpromisc now parses /proc/net/packet so that it can provide better diagnostics. (forwarded patch upstream) (closes: #214990) But you would not see that if you are running stable (no backports) and linux 2.4 Just FYI Regards Javier [1] http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known
signature.asc
Description: Digital signature