Bug#1070152: chkrootkit: duplicate line from ifpromisc

Vincent Lefevre Tue, 30 Apr 2024 16:57:12 -0700

On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote:
> For instance, /var/log/chkrootkit/log.expected contains
> 
> WARNING: Output from ifpromisc:
> lo: not promisc and no packet sniffer sockets
> <interface>: PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> 
> But /var/log/chkrootkit/log.today currently has a duplicate line:
> 
> WARNING: Output from ifpromisc:
> lo: not promisc and no packet sniffer sockets
> <interface>: PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> <interface>: PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> 
> which has the effect to generate an alert.


This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf,
which obfuscates the output.

The unfiltered output:

lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261])
wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261], 
/usr/sbin/wpa_supplicant[1263])

But for a laptop, there is not always an Ethernet cable plugged in.

IMHO, known packet sniffers should be filtered out.

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#1070152: chkrootkit: duplicate line from ifpromisc

Reply via email to