promiscuous mode messages
Michael B. Eichorn
ike at michaeleichorn.com
Sun Oct 25 15:14:40 UTC 2015
On Sun, 2015-10-25 at 08:33 -0400, Ernie Luzar wrote:
> Hello list
>
> I was reviewing the console log [/var/og/messages] and noticed these
> messages.
>
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
> xlo: promiscuous mode enabled
> xlo: promiscuous mode disabled
>
> Now to my knowledge I did nothing to cause this.
> xl0 is the interface facing the public internet.
Are you sure? Lots of networking/monitoring tools use promiscuous mode.
In fact enabled/diabled like that is exactly what you will get if you run
tcpdump without the -p option.
> Could this have been a remote attacker?
Not really. Promiscuous mode requires root to enable/disable. An attacker
would need to be logged in and get root.
Anyway try correlating the timestamps on /var/log/messages with
/var/log/auth.log
> How to disable xl0 from being able to enter promiscuous mode?
Requires root to use already. Against a user with root resistance is
futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5761 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151025/a9323a8f/attachment.bin>
More information about the freebsd-questions
mailing list