Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: jester on August 16, 2005, 10:10:04 AM

Title: Rkhunter warnings: promiscuous interface (Snort ?!)
Post by: jester on August 16, 2005, 10:10:04 AM

Yesterday i've installed the Snort and Acid contrib (Sleepy) on a SME6.0.1 (plus) box in server-gateway mode. This morming i found the following rkhunter warning:

* Interfaces
     Scanning for promiscuous interfaces  [ Warning! ]
Found promiscuous interface.

I manually ran the suggested --createlogfile option and got:

[09:40:11] ------------------------------- Backdoors -----------------------------
[09:40:12] Checking network interfaces (promiscuous mode)... [ WARNING ]
[09:40:12] Possible promisc interfaces:
[09:40:12] Output test 1:
[09:40:12] Output test 2: eth1

I could not find anything really related on contribs.org, when googled for it only found:
Snort will show up as a promisc interface since snort is essentially a packet sniffer.

Somebody know if this is the origing of the warning and if so, can rkhunter be adjusted so that it will not be triggered by snort and end up sending me 'bogus' mail every morning.... OR have i really got a rootkit problem?!

Cheers,
  Jester.

Title: Rkhunter warnings: promiscuous interface (Snort ?!)
Post by: egerards on August 18, 2005, 03:17:03 PM

It's perfectly logical that you get this message from rkhunter after installing Snort. To be able to run a package as Snort (or NTOP) in the way it is intended, you simply have to put a network interface into a promiscuous state.

So you can safely ignore this message from rkhunter. Unfortunatelly rkhunter does not seem to have an option to disable the promiscuous check, which means that you will get a rkhunter email every day (as well as I do).

Title: Rkhunter warnings: promiscuous interface (Snort ?!)
Post by: jester on August 18, 2005, 05:54:09 PM

Thanx Eric!

This at least sets my mind at ease. I thought i might have been hacked or something not knowing what the heck this promiscuous mode is.

Cheers!
jester.

Title: Rkhunter warnings: promiscuous interface (Snort ?!)
Post by: gordonr on August 19, 2005, 10:39:12 PM

Quote from: "jester"

This at least sets my mind at ease. I thought i might have been hacked or something not knowing what the heck this promiscuous mode is.

Promiscuous mode tells your Ethernet interface to listen to all packets. Normally it will only listen to packets for its Ethernet address, broadcast and (possibly) multicast packets.

However, promiscous mode is not particularly useful if your box is connected to an Ethernet _switch_ (most are) as the switch will only send the packets above to you.