> I'm doing some work for a client who has had some suggestions that they > run a program to watch the state of ifconfig, and send mail if the > interface ever goes promiscuous. This works just fine under SunOS 4.x, > however, their concern is that this does not appear to work for Solaris 2.x. The first thing many crackers do is replace ifconfig with a trojan that won't report when an interface is in promiscuous mode. You could look at 'cpm', which will also show when an interface is promiscuous. It's available from ftp.cert.org. You're still in the same boat if someone replaces it with their own, however. ...Eric