2

I have installed the latest version of OSSEC HIDS (2.8.1), and I keep now getting these email notifications from it:

OSSEC HIDS Notification.
2015 Apr 08 11:26:17

Received From: Bath-Towel->/var/log/syslog
Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) mode."
Portion of the log(s):

Apr  8 11:26:15 Bath-Towel kernel: [   93.311372] device eth0 entered promiscuous mode



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2015 Apr 08 11:26:19

Received From: Bath-Towel->/var/log/syslog
Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) mode."
Portion of the log(s):

Apr  8 11:26:18 Bath-Towel kernel: [   95.824941] device eth0 entered promiscuous mode



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2015 Apr 08 11:26:23

Received From: Bath-Towel->/var/log/syslog
Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) mode."
Portion of the log(s):

Apr  8 11:26:21 Bath-Towel kernel: [   99.353199] device eth0 entered promiscuous mode



 --END OF NOTIFICATION

So what does this mean and should I be worried about it?

OS Information:

Description:    Ubuntu 14.10
Release:    14.10
  • Do you have tcpdump or wireshark or something like that installed (and possibly running)? – muru Apr 08 '15 at 11:12
  • @muru: Not that I know of. But how could I possibly check? –  Apr 08 '15 at 11:14
  • `apt-cache policy wireshark tcpdump` – muru Apr 08 '15 at 11:15
  • @muru: Wireshark does not appear to be installed, however tcpdump does. But how would I check if this activity is tcpdump? –  Apr 08 '15 at 11:18
  • That I don't know. I just know that using tcpdump usually sets the interface to promiscuous mode. – muru Apr 08 '15 at 11:22
  • @muru: How would I check if tcpdump is running? –  Apr 08 '15 at 11:22
  • `pgrep tcpdump -fa` – muru Apr 08 '15 at 11:23
  • @muru: There was no output from that command, but it seems to have executed successfully with no errors. –  Apr 08 '15 at 11:24
  • So it's not running now. – muru Apr 08 '15 at 11:24
  • @muru: So is tcpdump a program which is likely to run itself every now and then? And is there a log anywhere that will tell me when it has last been running? –  Apr 08 '15 at 11:26
  • Not by itself, no. It's a normal command, not a service. – muru Apr 08 '15 at 11:27
  • @muru: Ok, is there a log anywhere that would tell me if something ran it? Also, what exactly is "promiscuous(sniffing) mode"? –  Apr 08 '15 at 11:35
  • @muru: This may not be relevant, but when scanning my machine with `chkrootkit`, this was some of the output: `Checking 'sniffer'... lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER(/sbin/dhclient[1322], /usr/bin/etherape[3742]) .` –  Apr 08 '15 at 11:56

2 Answers2

3

If you installed software that allows sniffing and get this when starting software like WireShark then:

  1. Stop worrying! You'll have a heart attack before your time! ;-)

  2. Promiscuous mode on a computer has nothing to do with catching nasty viruses like AIDS... It just means that your network adapter will be able to read TCP/IP packets that are meant for other adapters. (A.k.a. "sniffing" and that's a great tool to find obscure TCP/IP communication bugs)

Fabby
  • 34,341
  • 38
  • 97
  • 191
-2

1) Always worry...The hackers don't want you to pay attention to the logs and ethernet devices "mysteriously" turning on promiscuous mode for no reason.

2) Promiscuous mode on a computer has nothing to do with catching nasty viruses like AIDS... - No, but the behaviour is a red flag and should be investigated. Ignoring tell tale signs like this and dismissing them is the lax security mindset that is plaguing so many businesses and institutions these days.

It just means that your network adapter will be able to read TCP/IP packets that are meant for other adapters. (A.k.a. "sniffing" and that's a great tool to find obscure TCP/IP communication bugs) - It is...IF and I emphasize "IF" it is being done to troubleshoot and not capture packets for malicious intent like foot printing the network or capturing unencrypted messages (email, etc.).

Erring on the side of caution is much more preferable then ignoring potential security exploits.

As far as why this happened...the only thing I can think of is reviewing your system and application logs at around the time it happened and make sure it was something YOU did and not someone or something else.

motorious
  • 1
  • 1