I recently did a fresh install of 7.3 on this system and included all security updates from scratch. Today I decided to run chkrootkit and found that it reported that eth0 wasn't in promiscuous mode. Since I'm running snort, and see in /var/log/messages lines like "eth0 entered promiscuous mode" I was a bit worried. I ran tcpdump -i eth0 and did ifconfig and sure enough, PROMISC wasn't there. I reinstalled net-tools.rpm, but still no PROMISC. It's difficult to believe that this is the work of a hacker, since the entries are made into messages, and since the problem was still there after a reinstall of net-tools I think it would have to be a kernel problem and any kernel modification would surely remove log messages as well as proc entries I've tested it on two separate systems, both running 7.3, one running k_deflt 2.4.16 and one running k_deflt 2.4.17-69 (from mantel) Is anyone else seeing this? //Anders
I just ran chkrootkit yesterday and neither of my NICs was reported as being in promiscuous mode. I am not running Snort though. I have the 2.4.16 kernel.
Jim
02/27/02 08:37:20 PM, Anders Johansson
I recently did a fresh install of 7.3 on this system and included all security updates from scratch. Today I decided to run chkrootkit and found that it reported that eth0 wasn't in promiscuous mode. Since I'm running snort, and see in /var/log/messages lines like "eth0 entered promiscuous mode" I was a bit worried.
I ran tcpdump -i eth0 and did ifconfig and sure enough, PROMISC wasn't there. I reinstalled net-tools.rpm, but still no PROMISC. It's difficult to believe that this is the work of a hacker, since the entries are made into messages, and since the problem was still there after a reinstall of net-tools I think it would have to be a kernel problem and any kernel modification would surely remove log messages as well as proc entries
I've tested it on two separate systems, both running 7.3, one running k_deflt 2.4.16 and one running k_deflt 2.4.17-69 (from mantel)
Is anyone else seeing this?
//Anders
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Yup, snort has a command-line option -p, which disables promiscuous mode sniffing. Are you sure you haven't used this option, maybe accidentally? Anders Johansson wrote:
I recently did a fresh install of 7.3 on this system and included all security updates from scratch. Today I decided to run chkrootkit and found that it reported that eth0 wasn't in promiscuous mode. Since I'm running snort, and see in /var/log/messages lines like "eth0 entered promiscuous mode" I was a bit worried.
[...]
Is anyone else seeing this?
//Anders
On Thursday 28 February 2002 15:41, Boris Lorenz wrote:
Yup,
snort has a command-line option -p, which disables promiscuous mode sniffing. Are you sure you haven't used this option, maybe accidentally?
Yep, I'm sure. I saw notices in var/log/messages that said the interface went into promiscuous mode, and I tested with tcpdump -i eth0. I've now tested on a machine that had a fresh install with no connection to the internet and it exhibits the same behaviour (which calmed my nerves somewhat :). All three machines had the 8139too driver, so right now I'm thinking it's a bug in that driver, that it never updates the proper fields in the control structure or something. //Anders
I recently did a fresh install of 7.3 on this system and included all security updates from scratch. Today I decided to run chkrootkit and found that it reported that eth0 wasn't in promiscuous mode. Since I'm running snort, and see in /var/log/messages lines like "eth0 entered promiscuous mode" I was a bit worried.
I ran tcpdump -i eth0 and did ifconfig and sure enough, PROMISC wasn't
I reinstalled net-tools.rpm, but still no PROMISC. It's difficult to believe that this is the work of a hacker, since the entries are made into messages, and since the problem was still there after a reinstall of net-tools I
Hi,
I have noticed exactly the same behaviour in chkrootkit.
Running tcpdump while chkrootkit ran it did *not* report promiscuous mode.
Greetz
johnvD.
----- Original Message -----
From: Anders Johansson
it would have to be a kernel problem and any kernel modification would surely remove log messages as well as proc entries
I've tested it on two separate systems, both running 7.3, one running k_deflt 2.4.16 and one running k_deflt 2.4.17-69 (from mantel)
Is anyone else seeing this?
file://Anders
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thursday 28 February 2002 22:23, JohnvD wrote:
Hi,
I have noticed exactly the same behaviour in chkrootkit. Running tcpdump while chkrootkit ran it did *not* report promiscuous mode.
Greetz johnvD.
Are you running the 8139too driver as well? //Anders
participants (4)
-
Anders Johansson
-
Boris Lorenz
-
James Bliss
-
JohnvD