On Wed, 1 May 2024, 00:57 Vincent Lefevre, <vinc...@vinc17.net> wrote:
> On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote: > > For instance, /var/log/chkrootkit/log.expected contains > > > > WARNING: Output from ifpromisc: > > lo: not promisc and no packet sniffer sockets > > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > > > > But /var/log/chkrootkit/log.today currently has a duplicate line: > > > > WARNING: Output from ifpromisc: > > lo: not promisc and no packet sniffer sockets > > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > > <interface>: PACKET > SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}) > > > > which has the effect to generate an alert. > > This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf, > which obfuscates the output. > > The unfiltered output: > > lo: not promisc and no packet sniffer sockets > eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261]) > wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261], > /usr/sbin/wpa_supplicant[1263]) > > But for a laptop, there is not always an Ethernet cable plugged in. > > IMHO, known packet sniffers should be filtered out. > I agree that you should be able to filter out duplicate lines. And i think this is possible with a custom filter. I dont think it should be the default - most chkrootkit users have a more static network setup, and the alert shows something has changed. For laptops where networking is more dynamic it's hard to design something that works for everyone without also hiding information for other people. I think the defaults need to be conservative, while allowing people to hide what they want. Maybe the best solution is to provide more docs/examples about how to hide duplicate lines.