HPE Community
Operating System - HP-UX
1834831 Members
2421 Online
110070 Solutions
New Discussion

Promiscue mode on ethernet interfaces

 
SOLVED
Go to solution
Virgil Chereches_2
Frequent Advisor

‎02-25-2004 02:24 AM

‎02-25-2004 02:24 AM

Promiscue mode on ethernet interfaces

Hi!
Do you know any method to check if a network interface is in promiscue mode (on HP-UX, of course)?
A security auditor claims that this must be done on a regular basis as part of a good security policy.

Any response on this matter will be highly appreciated,
Virgil
0 Kudos
Reply
10 REPLIES 10
G. Vrijhoeven
Honored Contributor

‎02-25-2004 02:34 AM

‎02-25-2004 02:34 AM

Re: Promiscue mode on ethernet interfaces

Hi Virgil,

You can use the command nettl to set a lan card in promiscue mode and log to a file and you can use netfmt to search trough that file ( can become a big file).
If your network is switched you only can see traffic in you vlan.
Ask the autitor for a plan. This will generate a lot of data and you must have a plan/traget before you can do anything usefull with it, just collecting data is a waste of time/space.

HTH,

Gideon
0 Kudos
Reply
curt larson_1
Honored Contributor

‎02-25-2004 02:35 AM

‎02-25-2004 02:35 AM

Solution

Re: Promiscue mode on ethernet interfaces

from standford university:

it is important to check your ethernet card regularly to make sure it is not in promiscuous mode. Incidentally, if someone has put your card in promiscuous mode, your machine has had a root compromise. Hence, a simple cron job can give you early warning of any problems. It is possible that a hacker may remove your cronjob, and a good one will. However, a suprising number of break-ins can be caught by running a promiscuous mode detection program.

We recommend ifstatus2.1. The nice thing about ifstatus is it will walk the device list and manually check ethernet cards for promiscuous mode. (If you don't know why this is a good thing, the reason is Solaris doesn't keep track of cards in promiscuous mode..you have to query them directly. Not an easy thing sometimes.)

Ifstatus is available in source and binary form for most operating systems. Solaris is an exception. For ifstatus to work on Solaris certain proprietary header files are needed. Again, running it out of crontab is the best idea. It's easy and will be non-intrusive in day to day operations.

Source Form: ifstatus2.1.tar.gz

http://www.stanford.edu/group/itss-ccs/security/unix/promisc.html
Reply
Virgil Chereches_2
Frequent Advisor

‎02-25-2004 02:53 AM

‎02-25-2004 02:53 AM

Re: Promiscue mode on ethernet interfaces

Thank you very much for your answers. Curt really understand the issue so he earned the most points.


Best regards,
Virgil
0 Kudos
Reply
curt larson_1
Honored Contributor

‎02-25-2004 02:58 AM

‎02-25-2004 02:58 AM

Re: Promiscue mode on ethernet interfaces

here is a newer version

http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/
0 Kudos
Reply
curt larson_1
Honored Contributor

‎02-25-2004 03:00 AM

‎02-25-2004 03:00 AM

Re: Promiscue mode on ethernet interfaces

and if you do use ifstatus

ifstatus will report when an ethernet card is in promiscuous mode. Since it only generates output when a card is in promiscuous mode it is ideal for running out of crontab, say every hour. Simply add:
30 * * * * /usr/pubsw/sbin/ifstatus
to run ifstatus at half past every hour.
Reply
rick jones
Honored Contributor

‎02-26-2004 05:22 AM

‎02-26-2004 05:22 AM

Re: Promiscue mode on ethernet interfaces

Don't forget though that sometimes there are quite legitimate reasons for a NIC to be in promiscuous mode. Someone may be running tcpdump or ethereal to try to diagnose a problem.

A NIC may go into "multicast promiscuous" mode if enough multicast IPs are logged to get the number of multicast MAC addresses bound above the limits of the NIC to filter itself. I do not know if that will be visible to the checking tool or not.

Still, be ready for "false positives"
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Virgil Chereches_2
Frequent Advisor

‎03-01-2004 09:26 PM

‎03-01-2004 09:26 PM

Re: Promiscue mode on ethernet interfaces

Thank you for your answers.
Anyone, did someone succeeded to succesfully build ifstatus on HPUX 11i?
It seems to be done to work on Solaris rather than anything else.


0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎03-01-2004 10:29 PM

‎03-01-2004 10:29 PM

Re: Promiscue mode on ethernet interfaces

Its pretty straight forward to compile as per the Makefile instructions;

set in Makefile;
OSNAME = HPUX
comment out;
#LIBS = -lkvm -lelf -lnsl -lsocket

and the run make. It errors on file compile, run it manually;

cc -o ifstatus ifstatus.o if-generic.o if-solaris.o

Note, when you run ifstatus now it will only produce output if a lancard is in promiscious mode or if you run it with the -v flag. Run it cron every hour or so as a security check.

Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Virgil Chereches_2
Frequent Advisor

‎03-01-2004 10:42 PM

‎03-01-2004 10:42 PM

Re: Promiscue mode on ethernet interfaces

Sorry!
It's my fault; I've red the instructions few days ago but when I started to compile it I forgot what I red.
So please excuse my laziness,
Virgil
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.