Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Oct 2015 11:17:09 -0400
From:      "Michael B. Eichorn" <ike@michaeleichorn.com>
To:        Ernie Luzar <luzar722@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: promiscuous mode messages
Message-ID:  <1445786229.29271.14.camel@michaeleichorn.com>
In-Reply-To: <562CCC10.80509@gmail.com>
References:  <562CCC10.80509@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Sun, 2015-10-25 at 08:33 -0400, Ernie Luzar wrote:
> Hello list
> 
> I was reviewing the console log [/var/og/messages] and noticed these 
> messages.
> 
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> 
> Now to my knowledge I did nothing to cause this.
> xl0 is the interface facing the public internet.

Are you sure? Lots of networking/monitoring tools use promiscuous mode.
In fact enabled/diabled like that is exactly what you will get if you run
tcpdump without the -p option.

> Could this have been a remote attacker?

Not really. Promiscuous mode requires root to enable/disable. An attacker
would need to be logged in and get root.

Anyway try correlating the timestamps on /var/log/messages with
/var/log/auth.log

> How to disable xl0 from being able to enter promiscuous mode?

Requires root to use already. Against a user with root resistance is
futile.
[-- Attachment #2 --]
0	*H
010
	`He0	*H
000]0
	*H
010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
150613202446Z
160614003550Z0H10Uike@michaeleichorn.com1%0#	*H
	ike@michaeleichorn.com0"0
	*H
0
UՀ,k9D %Z|Y6J<rrK
g;&|uNlUE9)V.[ט̊:qS](#vSYDz*CpugYݔ,v<`j(waS#ڒ6n(K5'KVLåErv<J=[}W
bLA%gޭnVb|	I?M7D:$׃bM_T[,ƃ\00	U00U0U%0++0Ujj:	γ+39啖0U#0Sr풜\|~5NԸQ0!U0ike@michaeleichorn.com0LU C0?0;+70*0.+"http://www.startssl.com/policy.pdf0+00' StartCom Certification Authority0This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+)'%http://crl.startssl.com/crtu1-crl.crl0+009+0-http://ocsp.startssl.com/sub/class1/client/ca0B+06http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0http://www.startssl.com/0
	*H
x+ȐF}pw.XvF?rg
P]EOp)L˻yA
;hi0u2]m [Sbp$_
gr
Xm*YP3#H>mKAǠt)HO|=@}3ӝ'iO81>03	v'h5U
"H;ECZtpҗ4rWHu^6+i*kJL8shAV|5;?HMc\	j[j|+000]0
	*H
010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
150613202446Z
160614003550Z0H10Uike@michaeleichorn.com1%0#	*H
	ike@michaeleichorn.com0"0
	*H
0
UՀ,k9D %Z|Y6J<rrK
g;&|uNlUE9)V.[ט̊:qS](#vSYDz*CpugYݔ,v<`j(waS#ڒ6n(K5'KVLåErv<J=[}W
bLA%gޭnVb|	I?M7D:$׃bM_T[,ƃ\00	U00U0U%0++0Ujj:	γ+39啖0U#0Sr풜\|~5NԸQ0!U0ike@michaeleichorn.com0LU C0?0;+70*0.+"http://www.startssl.com/policy.pdf0+00' StartCom Certification Authority0This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+)'%http://crl.startssl.com/crtu1-crl.crl0+009+0-http://ocsp.startssl.com/sub/class1/client/ca0B+06http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0http://www.startssl.com/0
	*H
x+ȐF}pw.XvF?rg
P]EOp)L˻yA
;hi0u2]m [Sbp$_
gr
Xm*YP3#H>mKAǠt)HO|=@}3ӝ'iO81>03	v'h5U
"H;ECZtpҗ4rWHu^6+i*kJL8shAV|5;?HMc\	j[j|+0400
	*H
0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0"0
	*H
0
	-).2AUGo#G
B|NDRpM-B=o-we5JQpa>O.#._<V
[~**pz~3WG.ᘟMlr[<Ce6fqO"uxfWN#uicgkv$Lb%y`_{`xK'GN00U00U0USr풜\|~5NԸQ0U#0N@[i04hCA0f+Z0X0'+0http://ocsp.startssl.com/ca0-+0!http://www.startssl.com/sfsca.crt0[UT0R0'%#!http://www.startssl.com/sfsca.crl0'%#!http://crl.startssl.com/sfsca.crl0U y0w0u+70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
	*H

}x,\c^#wMq}>UK/^yX֏y	frMIŲB61ymQ󸟆ҨݬZ0&;@#13qۑ&	̢o	6r_;GO>*I(	74XS1r3)!LJy6Kotˆ#
_wSr
;B
ADp(fs䰷6%.W0J3:bC<8t X1<Cn=t==wST~\wkBf|15zUP)(IjVB!OfI=bb\4-*em/нSJm7N[]'@ڽD9Kr>R7/|o^I@ټ'Pa$ z9a'L)(
I}vcH]۸D*W}
m>Q|C.(,lQ100010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA]0
	`He0	*H
	1	*H
0	*H
	1
151025151709Z0O	*H
	1B@l9IB&*.LQL+!a$T׈\1ؑRQO(:lºҒ1CL0	+710010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA]0*H
	1010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA]0
	*H
k3{˗mE5TfW4߸d!jAǬawW^G;p5Hܯ
y+-ҍm,$6
#[U{IOUfDA
2+O!p0
x?!myfVc'(	W9oDzu_ k嚸MVs;UJtє+9=F1̮6:-$5

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1445786229.29271.14.camel>