On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote: > For instance, /var/log/chkrootkit/log.expected contains > > WARNING: Output from ifpromisc: > lo: not promisc and no packet sniffer sockets > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > > But /var/log/chkrootkit/log.today currently has a duplicate line: > > WARNING: Output from ifpromisc: > lo: not promisc and no packet sniffer sockets > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > > which has the effect to generate an alert.
This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf, which obfuscates the output. The unfiltered output: lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261]) wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261], /usr/sbin/wpa_supplicant[1263]) But for a laptop, there is not always an Ethernet cable plugged in. IMHO, known packet sniffers should be filtered out. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)