From owner-freebsd-questions@FreeBSD.ORG Sun Aug 15 21:11:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC06A16A4CE for ; Sun, 15 Aug 2004 21:11:56 +0000 (GMT) Received: from redqueen.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D98643D53 for ; Sun, 15 Aug 2004 21:11:56 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from [10.0.2.122] (nimrod.elvandar.intranet [10.0.2.122]) by redqueen.elvandar.org (Postfix) with ESMTP id BA22510685E; Sun, 15 Aug 2004 23:11:52 +0200 (CEST) Message-ID: <411FD199.6050704@elvandar.org> Date: Sun, 15 Aug 2004 23:11:53 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: Aaron Dalton References: <200408151429.05110.aaron@daltons.ca> In-Reply-To: <200408151429.05110.aaron@daltons.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org cc: freebsd-questions@freebsd.org Subject: Re: Is promiscuous mode bad? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Aug 2004 21:11:56 -0000 Aaron Dalton wrote: > I was running security/rkhunter and it warns me about my network card being in > promiscuous mode. I have a few questions: > 1) What exactly is promiscuous mode? (I've done some googling but haven't > found anything really clear) > 2) Why might it be considered a bad thing? > 3) How do I disable it if it really is bad? > 4) What are the effects of disabling it? > > Thank you *so much* for your time! Hi Aaron, 1) Promiscuous mode means that your network is dumping it packets somewhere, normally they get transported. Now the added feature is that a application like tcpdump can display the packets and with the correct options (tcpdump -X for example) you can even see what's inside the packets. If you do plain auth authorization it is possible with a 'sniffer' (which puts your network into promisc. mode) to see what the username and password of the user is, so using those credentials to do something evil. 2) see above 3) ifconfig -a (check which has PROMISC in it) ifconfig interfacename -promisc turns the promisc mode off 4) the application that enabled promisc probably not functioning correctly anymore, which is perhaps good thing. Are you running any IDS'es or something that you know? since they also put the network into promisc mode. Cheers! -- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl