On Thu, 2 May 2024 13:24:33 +0200 Vincent Lefevre <vinc...@vinc17.net> wrote:
> The "chkrootkit -s" example in the man page is > > chkrootkit -s '(systemd-netword|NetworkManager|wpa_supplicant)' > > but if an unrecognized packet sniffer is added on one of the > interfaces, it will not be detected. can you give an example of what is not detected - i think this should work fine (you've definitely spotted some typos and unclear language in the man-page which will be fixed, but im not sure there is a functionality bug here -- i suspect it's just that the man-page was too confusing!) > And "where the argument lists whicher managers you expect to be > present" is confusing (BTW, "whicher" is wrong). yes, thanks for reporting this - will improve the wording. > The match is > not done on individual managers, but on the whole line output > by ifpromisc. this is correct, and we should add it to the manpage, but: > > If I understand correctly, it should be something more like > > chkrootkit -s '^[[:alnum:]]+: PACKET > SNIFFER\(((/usr/lib/systemd/systemd-networkd|/usr/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, > )?)+\)$' > > (inspired by the default FILTER). > while this is a more 'technically correct' way for sure, but any line matching the regexp is removed from the output, so the example in the man-page does work (at the risk of matching 'too much') -- can you explain what doesn't work? (there are some grammar issues which will be fixed, but i think the example works, unless i am missing something)
