Recently I hired a professional to harden my FreeBSD box. Looking at the Chkrootkit reports I get now by mail, I noticed that there is a line that mention:

Checking `sniffer'... rl0 is PROMISC

Everything else is looks OK with "not found" or "not infected"

Is this something I must worry about? or is it normal?

I would appreciate any feedback!

Hi,

I don't think there's anything to worry about here. Promisc looks to be a mode for the ethernet card in FreeBSD. I'm not an expert on this, but this doesn't look bad to me. I did some searching and found out that. You can straight away ask the guys who secured your box! I guess they're the best ones to answer this!

Regards,
Gabbar

As the variant, on the interface rl0 can turn any counter of the traffic or the filter. In the worse variant - someone listens to the traffic and can receive your passwords and logins if they are not ciphered (telnet, e-mail, ftp)

any interface should be in PROMISC mode only if the interface is meant to be used as part of a bridge. If not then someone may be using the interface to sniff the traffic in your network. You should check to see if you have any sniffers runing.
If you're not using the interface as a bridge then you should disable the PROMISC mode

Thanks guys!

I'll check it first with the datacenter and then with the admins that secured my server.

As gabbar said, most likely this is false positive. run chkrootkit again in a minute and i'm sure this will disappear. It could have showed PROMSIC due to the traffic on your NIC.