What is promiscuous mode in linux

How to configure interface in “Promiscuous Mode” in CentOS/RHEL

What is a promiscuous mode for a NIC?

Promiscuous mode or promisc mode is a feature that makes the ethernet card pass all traffic it received to the kernel. It is usually used by a packet sniffing program like Wireshark, and tcpdump. If there was such program intentionally running or bridged networking for hardware virtualization, the “promiscuous mode” message might be simply ignored. Otherwise, deep investigation on that system will be required due to a security issue.

When a network card is in promiscuous mode, it can read all traffic it received rather than just packages addressed to it. Suppose for eth1, promiscuous mode is basically used to pass all traffic that ‘eth1’ receives rather than just frames addressed to it. A network card usually is in promiscuous mode when:

1. If it was manually configured in that mode using ifconfig command.
2. If a Network monitor tool is used, like tcpdump etc.
3. In bridge network, the NIC is mostly required to operate in promiscuous mode.

How to Manually set a NIC in Promiscuous Mode?

To set an interface to promiscuous mode you can use either of these commands, using the ‘ip’ command is the most current way.

To identify if the NIC has been set in Promiscuous Mode, use the ifconfig command.

Alternatively, use the “ip” command and grep for the promisc flag:

Persistent settings

To set the interface in promiscuous mode persistently; First, edit the ifcfg-ethX file and add “PROMISC=yes” to the end of the options.

Источник

How to properly put network interface into promiscuous mode on Linux

So how do you do this properly?

I know how to do it by creating socket, then setting IFF_PROMISC flag using ioctl (as explained in «howto check a network devices status in C?» and elsewhere), but this looks flawed at least in theory.

1. you read flags via ioctl
2. you update flags
3. someone else modified flags
4. you set updated flags via ioctl

Is there a better way or do I simply worry too much?

Later I found that one should add interface to PACKET_MR_PROMISC via setsockopt (which also does not have a race) like this:

Unfortunately this has no effect whatsoever on interface, although it should, if I unserstand the doc correctly. Possibly broken since 2001 ™? Comments in pcap source also complain about this.

1 Answer 1

PACKET_MR_PROMISC turns on promiscuous mode for the device. That will not be reflected in the status shown by ifconfig as it does not modify the state of the global IFF_PROMISC flag on the device. That does not mean it hasn’t been done though. This is how the pcap library works now and the fact that wireshark (and a dozen other utilities) can open a device and see packets not addressed to the local system shows that it works.

There is an internal counter on each device that is incremented each time a process uses PACKET_MR_PROMISC , and decremented when that process goes away. That solves the race you originally described.

Источник

Promiscuous Mode

Related terms:

Download as PDF

About this page

Filtering, Normalization, and Correlation

Anton Chuvakin , . Chris Phillips , in Logging and Log Management , 2013

Promiscuous Mode Detection

When a network interface is placed into promiscuous mode , all packets are sent to the kernel for processing, including packets not destined for the MAC address of the network interface card. The one main reason that this is a bad thing is because users on the system with a promiscuous mode network interface can now use a tool like a sniffer to view any and all network packets. Let’s look at how to detect an interface going into promiscuous mode on Linux:

pattern=^.*(\d+\.\d+\.\d+\.\d+).* (.*?) entered promiscuous mode$

action= write – Interface $2 on $1 entered promiscuous mode

Here the SEC rule will detect the host and the host’s network interface which went to promiscuous mode.

Installing Sniffer Pro

Configuring Network Interfaces and Drivers

Sniffer Pro requires a NIC that can operate in promiscuous mode .

Default NDIS drivers do not provide the performance and stability that enhanced NAI drivers do. Enhanced NAI drivers are available only for certain NICs as recommended by NAI.

NAI’s enhanced drivers are designed to pass physical layers to the Sniffer Pro software.

The Fast Ethernet Full Duplex Pod can be used to capture full-duplex traffic off the network.

For highest levels of capture performance, maximize the amount of physical memory and processor speed on the Sniffer Pro system. You can also turn off the real-time expert as well as router expert capabilities if you do not need these features.

Integrating Ethereal with Other Sniffers

Microsoft Network Monitor

Microsoft Network Monitor is a tool that comes with Windows 2000 Server. It is used to detect and troubleshoot network problems, including identifying network traffic patterns and statistics. It is not installed by default, but it can be added by selecting Management and Monitoring Tools | Network Monitor Tools during installation or later using Add/Remove Programs. Network Monitor can capture packets directly from the network and display, filter, save and print captured packets. It can also open previously saved capture files that are in the proper format. For our example we are using the Network Monitor 2.0 Lite version that is included with Windows 2000Server.

The Network Monitor main window includes four window panes, as shown in Figure 7.9 . The top left pane is the Graph pane, and is a graphical representation of current network activity. The middle left pane is the Session Statistics pane, and displays statistics about current individual network data. The bottom pane is the Station Statistics pane, and it displays statistics about session sent to and from the computer that is running Network Monitor. Finally, the top right pane is the Total Statistics pane, and it displays summary statistics about network activity detected since the capture process began.

Figure 7.9 . Microsoft Network Monitor Window

NOTE

The Windows 2000 Network Monitor does not capture packets in promiscuous mode . To do that you need to use the version of Network Monitor included with Systems Management Server version 2.0.

Capturing and Saving Data With Network Monitor

To begin a capture, select Capture | Start. You will notice the statistics begin changing, connections appear, and the time elapsed increasing. Once you have captured data, you can display it by selecting Capture | Stop and View. The Frame View window will open a listing of the captured data in a summary line view. If you double-click on one of the lines, the window will change to a three-pane view. This view has a summary top pane, a detailed protocol tree middle pane, and a hexadecimal data dump bottom pane. Figure 7.10 shows the Frame View window.

Figure 7.10 . Microsoft Network Monitor Frame View Window

Once you have captured and viewed your data, you can save the capture to a file by selecting File | Save As. You can choose the location that you would like to save the file, give it a filename, and click Save. Now that we have our output saved to a capture file, all we need to do is open it with Ethereal. Once you have opened Ethereal, select File | Open. Browse to the location of the capture file and select it, then click OK. Ethereal will open it and automatically read it! Figure 7.11 shows the Ethereal output of the Network Monitor netmon_capture.cap file.

Figure 7.11 . Ethereal Display of Network Monitor Capture

Reading Ethereal Files With Network Monitor

Network Monitor can also read and process properly formatted capture files. This means you can capture files with Ethereal and then read them with Network Monitor, as long as you save them in the Network Monitor format. Once you have captured your data with Ethereal, select File | Save As. Browse to the location where you would like to save your capture. Next, choose the correct output type from the File Type pull-down menu. In our case we are saving to Microsoft Network Monitor 2.x. Type in a file name under Selection, make sure to give it a .cap extension, and click OK. Network Monitor will open the file even without the extension, but this makes finding it easier.

You can now open up the Ethereal capture file in Network Monitor by selecting File | Open. Browse to the location of the saved file, select it and click Open. You will now see the packets displayed in the Frame View window.

Layer 2: The Data Link Layer

Local Detection

Many operating systems provide a mechanism to determine whether a network interface is running in promiscuous mode . This is usually represented in a type of status flag that is associated with each network interface and maintained in the kernel. This can be obtained by using the ifconfig command on UNIX-based systems.

The following examples show an interface on the Linux operating system when it isn’t in promiscuous mode:

eth0 Link encap:Ethernet HWaddr 00:60:08:C5:93:6B

inet addr: 10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets: 1492448 errors:2779 dropped: 0 overruns:2779 frame:2779

TX packets:1282868 errors:0 dropped: 0 overruns: 0 carrier: 0

collisions: 10575 txqueuelen: 100

Interrupt: 10 Base address: 0x300

Note that the attributes of this interface mention nothing about promiscuous mode. When the interface is placed into promiscuous mode, as shown next, the PROMISC keyword appears in the attributes section:

eth0 Link encap: Ethernet HWaddr 00:60:08:C5:93:6B

inet addr: 10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

RX packets: 1492330 errors:2779 dropped: 0 overruns:2779 frame:2779

TX packets:1282769 errors:0 dropped: 0 overruns: 0 carrier: 0

collisions: 10575 txqueuelen: 100

Interrupt: 10 Base address: 0x300

It is important to note that if an attacker has compromised the security of the host on which you run this command, he or she can easily affect this output. An important part of an attacker’s toolkit is a replacement ifconfig command that does not report interfaces in promiscuous mode.

Understanding the Terrain

Interfaces

After gaining control of a system, an attacker sometimes places a network interface into promiscuous mode in order to sniff the network for other sensitive information. Although network security monitoring can detect a promiscuous interface, it is also something that a host integrity monitoring system can easily detect. Most UNIX systems reveal promiscuous status in the interface viewed with the ifconfig command. For example, on FreeBSD:

It is possible to mitigate this problem through system configuration. On FreeBSD, it is possible to disable an interface from being put into promiscuous mode by removing Berkeley Packet Filter (BPF) support in the filter. This requires a kernel recompile as the default kernel comes with BPF support. However, this is not always an option because some applications (e.g., Snort) require this support. In that case, it makes sense to monitor your network interfaces so that you are aware of which interfaces are promiscuous and when.

Malware Incident Response

James M. Aquilina , in Malware Forensics , 2008

Network Configuration

When documenting the configuration of the subject system, digital investigators keep an eye open for unusual items such as a Virtual Private Network (VPN) adapter configured on a system that does not legitimately use a VPN. More sophisticated malware sets up a VPN connection to a remote command and control node, providing a method of communication over the network that is difficult to detect using Intrusion Detection Software (IDS) and other network monitoring systems.

It is also advisable to check whether a network card of the subject system is in promiscuous mode , which generally indicates that a sniffer is running. Several tools are available for this purposes, including Promiscdetect 16 shown below in Figure 1.13 , and Microsoft’s Promqry, 17 which requiresdetached dot needs to be reattached to “.NET” framework. Examining Kim’s adapter configuration, we learn that it is in promiscuous mode. Without further context, it’s unclear how relevant this is in the investigation.

Figure 1.13 . Displaying Adapter Configuration with PromisDetect

It can also be illuminating to document which protocols are enabled on the subject system. For instance, knowing that Windows file and print sharing are enabled, alerts digital investigators to the possibility that malware was delivered via a file share. Furthermore, by default, Windows Vista is configured to support Teredo, a protocol that tunnels IPv6 through User Datagram Protocol (UDP), and Windows XP can be configured to support this protocol. The Teredo protocol can be abused by malware to bypass network address translation devices.

Snort: The Inner Workings

Jay Beale , . Brian Caswell , in Snort Intrusion Detection 2.0 , 2003

Solutions Fast Track

Snort Components

At the core of Snort’s network capture capability is the libpcap library and a network card in promiscuous mode .

A promiscuous-mode network card captures all of the network traffic it sees, unlike other network cards that filter on the MAC address contained within the Ethernet frame. The libpcap library provides Snort with a cross-platform method of linking into the network cards of most major UNIX and Windows platforms.

Decoding Packets

Snort can decode a large number of protocols, from Ethernet, Token Ring, and Wireless to the higher-layer protocols such as IP, TCP, and UDP.

Snort doesn’t decode protocols such as IPX and IPv6. It merely recognizes them and uses them later for statistics.

Snort stores the packets in data structures, which form pointers to the raw data from libpcap.

Processing Packets 101

The preprocessors mangle, alert, and drop packets before they arrive at the main detection engine in Snort.

The frag2 preprocessor reassembles fragmented packets, while stream4 gives Snort stateful inspection functionality.

Understanding Rule Parsing and Detection Engines

The core detection engine uses text-based rules stored in a 3D linked list. The third dimension of the list links to detection plug-ins, which the first and second dimensions link to the Rule Header and Rule Options fields of the rule.

The detection plug-ins provide additional tests that can be performed on a packet.

The Pass rule is used to ignore certain types of traffic or signatures, while the Log rule merely logs traffic without alerting.

Output and Logs

Snort has a number of uses: as a sniffer, for intrusion detection, and for the capture of network traffic in a honeypot scenario.

Snort has two different output modes: Alerting and Logging. Within the Alerting and Logging modes, further options are available.

Logging to a database involves setting up the database structures beforehand and then configuring the snort.conf to connect and write to that database.

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: How do I go about writing one of my own preprocessor or detection plugins?

A: There are template files contained in the template subdirectory from the main src directory. There is a template set for detection plug-ins (sp_template.c and sp_template.h), and a template set for preprocessors (spp_template.c and spp_template.h). You need to write quality preprocessor and detection plug-ins; poorly written plug-ins can slow Snort down and, in some cases, cause Snort to crash. Scott Campbell has written a nice little DNS preprocessor ( www.geocities.com/axonpotential/snort/19/ ). It’s clearly documented and we recommend that you have a look at it.

Q: In Snort ver 2.0.0, do fragrouter and stick still cause problems?

A: During a recent IDS vendor test by http://nss.co.uk , they used both stick and fragrouter to test the detection as part of their overall testing strategy. Snort version 1.8.6 performed well in these test, missing only one or two types of stick and fragrouter attacks. However, with version 2.0.0 of Snort, improvements were made to fix these shortcomings. The “IDS Group Test Report Edition 3” is well worth reading; the testers in NSS wrote an excellent unbiased report on a number of IDS vendors. The testing equipment they use to put the IDS under heavy load is quite cool too.

Q: How fast is the decode engine?

A: One of the most popular questions asked of Marty Roesch is, “How fast is Snort?” A properly configured Snort machine can handle 100MB of network traffic (dependant on the number of rules and preprocessor configurations). At the higher levels around the 200 to 350MB per-second mark, libpcap is reading packets from the network card at a large rate and then calling the ProcessPacket() function within Snort. Calling ProcessPacket() uses up CPU cycles, which at high speed overloads the system. The decode engine will get the traffic, but with on average a 50-percent packet loss. (On Linux, an optimized version of libpcap can be downloaded to increase performance— http://public.lanl.gov/cpw/ .) Even with an optimized libpcap driver, the preprocessors will need to be finely tuned to handle 200 to 350MB of traffic, or in some cases should be turned off.

Q: Is the use of the libpcap model going to change for high-speed networks?

A: The Snort 2.0 architecture allows for what are called “acquisition plug-ins.” These plug-ins allow a developer to write a specific packet-capture network card driver for a particular operating system (Linux), and this plug-in would provide Snort with packet capture at much higher speeds. By doing this, you will lose the portability aspect of Snort, as it will be tied to one particular network card and operating system. However, you will gain much higher packet capture speeds because of the tight integration with the network card, which would then link directly to Snort, thereby reducing the overheads on the system because of the libpcap library.

Q: How do I enable Barnyard?

A: Barnyard can be downloaded from www.snort.org/dl/barnyard . Once downloaded, follow these steps:

Compile the Barnyard source code and install.

Configure your snort.conf configuration file, and set up Snort for “Unified mode” (see the earlier section Barnyard and Unified Output).

Configure your Barnyard.conf configuration file with the desired output format.

Start up Snort and then start up Barnyard.

Remember that Barnyard is still in beta, so report any bugs or errors to the Barnyard mailing list at [email protected] More detailed information regarding Barnyard can be found in Chapter 11 , “Mucking Around with Barnyard.”

Источник