From owner-freebsd-security Fri Apr 20 11: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id E72C237B423 for ; Fri, 20 Apr 2001 11:01:27 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.10.2/8.10.2) with ESMTP id f3KI1RB05605; Fri, 20 Apr 2001 13:01:27 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f3KI1OT20481; Fri, 20 Apr 2001 13:01:24 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f3KI1Np01771; Fri, 20 Apr 2001 14:01:23 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Apr 2001 14:01:22 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2N3XLGNA; Fri, 20 Apr 2001 14:01:19 -0400 From: "Antoine Beaupre (LMC)" To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Message-ID: <3AE0796E.E5DBCD3E@lmc.ericsson.se> Date: Fri, 20 Apr 2001 14:01:18 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: promiscuous mode References: <20010419161503.A1527@ringworld.oblivion.bg> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That would fit nicely as a FAQ answer. A. Peter Pentchev wrote: > > On Thu, Apr 19, 2001 at 08:10:45AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode > > on the xl0 interface. What would cause this ? Is it a sign of a potential > > problem ? > > 'Promiscuous mode' means that the kernel starts processing - and passing > to userland programs - ethernet frames that are not targeted to this machine > only. This means somebody (usu. root ;) is running a packet capture program - > either tcpdump, or some traffic analysis utility, or - if none of the above - > possibly a packet sniffer. In the last case, you should be alarmed. > > If you are not running tcpdump or some traffic analysis program, or if there > are times that you are not running those, but the interface still goes into > or out of promiscuous mode, then yes, this is a sign of a potential intrusion. > > G'luck, > Peter > > -- > I am the thought you are now thinking. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message