Package: chkrootkit Version: 0.45-1 Hello,
it looks like chkrootkit's ifpromisc has problems with parsing packet sockets having big inodes. I have several machines running snort, all of them running the same kernel (2.4.27), three of them with stable, one with unstable. On all but one snort is detected by ifpromisc (stable as well as unstable, I copied the binary). On the one where it isn't detected correctly (note the (null)[(null)]), the packet socket has a quite big inode, that's the only difference I found: # cat /proc/net/packet sk RefCnt Type Proto Iface R Rmem User Inode e188f0a0 3 3 0003 2 1 0 0 2264686735 # ls -l /proc/1232/fd | grep 2264686735 lrwx------ 1 root root 64 Oct 10 10:33 3 -> socket:[2264686735] # /usr/lib/chkrootkit/ifpromisc lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER((null)[(null)]) # ./ifpromisc lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER((null)[(null)]) /usr/lib/chkrootkit/ifpromisc is stable (0.44-2), ./ifpromisc is unstable (0.45-1). On the other machines where ifpromisc works well, the inodes are smaller: # cat /proc/net/packet sk RefCnt Type Proto Iface R Rmem User Inode e01e7180 3 3 0003 2 1 2160 0 1358616 # ls -l /proc/11723/fd | grep 1358616 lrwx------ 1 root root 64 Oct 10 10:36 4 -> socket:[1358616] # /usr/lib/chkrootkit/ifpromisc lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER(/usr/sbin/snort[11723]) # cat /proc/net/packet sk RefCnt Type Proto Iface R Rmem User Inode ee0db820 3 2 0003 112 1 592 0 3076871 # ls -l /proc/12905/fd | grep 3076871 lrwx------ 1 root root 64 Oct 10 10:38 4 -> socket:[3076871] # /usr/lib/chkrootkit/ifpromisc lo: not promisc and no packet sniffer sockets ppp0: PACKET SNIFFER(/usr/sbin/snort[12905]) Thanks for your work & regards Mario -- "Why are we hiding from the police, daddy?" | J. E. Guenther "Because we use SuSE son, they use SYSVR4." | de.alt.sysadmin.recovery -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
