On 2024-06-30 00:03:05 +0100, Richard Lewis wrote: > On Thu, 2 May 2024 13:24:33 +0200 Vincent Lefevre <[email protected]> wrote: > > > The "chkrootkit -s" example in the man page is > > > > chkrootkit -s '(systemd-netword|NetworkManager|wpa_supplicant)' > > > > but if an unrecognized packet sniffer is added on one of the > > interfaces, it will not be detected. > > can you give an example of what is not detected - i think this should work > fine
I don't remember. Perhaps I meant that the full path should be tested to avoid false positives for the lines to be excluded (also make sure that one does not have a substring, but the way to do this is currently not documented - certainly not with ^ and $ as usual, because the match is done on the full line). > > If I understand correctly, it should be something more like > > > > chkrootkit -s '^[[:alnum:]]+: PACKET > > SNIFFER\(((/usr/lib/systemd/systemd-networkd|/usr/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, > > )?)+\)$' > > > > (inspired by the default FILTER). > > while this is a more 'technically correct' way for sure, but any line > matching the regexp is removed from the output, so the example in the > man-page does work (at the risk of matching 'too much') -- can you > explain what doesn't work? The issue is that it may match too much, and a rootkit could exploit that. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
