Yesterday i've installed the Snort and Acid contrib (Sleepy) on a SME6.0.1 (plus) box in server-gateway mode. This morming i found the following rkhunter warning:
* Interfaces
Scanning for promiscuous interfaces [ Warning! ]
Found promiscuous interface.
I manually ran the suggested --createlogfile option and got:
[09:40:11] ------------------------------- Backdoors -----------------------------
[09:40:12] Checking network interfaces (promiscuous mode)... [ WARNING ]
[09:40:12] Possible promisc interfaces:
[09:40:12] Output test 1:
[09:40:12] Output test 2: eth1
I could not find anything really related on contribs.org, when googled for it only found:
Snort will show up as a promisc interface since snort is essentially a packet sniffer.
Somebody know if this is the origing of the warning and if so, can rkhunter be adjusted so that it will not be triggered by snort and end up sending me 'bogus' mail every morning.... OR have i really got a rootkit problem?!
Cheers,
Jester.
3 Replies
1859 Views