The test packet_cap_apps looks for an inode in /proc/net/packet, and then grep this inode in the output of
lsof -lMnPw -d 1-20
This can lead to false positive, for example when there is a match with the size of a file. Study case :
$ cat /proc/net/packet
sk RefCnt Type Proto Iface R Rmem User Inode
f5d18800 3 3 0003 2 1 0 0 5946
## this one is probably dhclient
$ dd if=/dev/zero of=toto bs=1 count=5946
$ tail -f toto
## and on an other xterm :
$ rkhunter --enable packet_cap_apps --report-warnings-only
Warning: Process '/usr/bin/tail' (PID 18996) is listening on the network.
(tested with rkhunter-1.4.0-1.el5)
Log in to post a comment.