We've been getting notification from AlertLogic (AL) about our Ubuntu 20.04.5 LTS out of the box linux instance entering "Promiscuous mode". I have checked both linux network interfaces 'ip -d link' and they're set to 'promiscuity 0' as well as VMWare ESXI host configuration that's hosting the linux instance has all network interfaces :Promiscuous mode" set to Reject. The AL is stating:
Attack Summary
Discovery / Network Sniffing
Attack Detail:
Device entering Promiscuous mode on interface ethF
Hostname: DEVICE NAME
The local host at IP_ADDRESS has been detected entering promiscuous mode. When a device interface enters promiscuous mode it captures all packets traversing the network segment the device interface is connected to Thus any sensitive data (user names, passwords etc) traversing the network that is not being sent encrypted can be captured. Whilst this activity is associated with troubleshooting by administrators (using tools like
"tepdump" and "wireshark"), it can also be indicative of unauthorised activity and should be investigated.
There is absolutely no software that would enable this mode on network interfaces as this is an out of the box Ubuntu instance running some shell scripts that never touch tcdump or wireshark. However, I notic in /etc/passwd file a user:
tcpdump:x:REMOVED:REMOVED::/nonexistent:/usr/sbin/nologin
I have also checked only one user that has super user but never run this command. Does anyone know if Ubuntu uses tcpdump in the background, when and for what reason?