[Snort-devel] Snort Bug - Promiscuous mode, Linux daemon

Chris Green cmg at ...835...
Fri Nov 1 05:48:21 EST 2002

"Jon Hedlund" <JonH at ...1658...> writes:

> In snort.c in the current release package 
> /* $Id: snort.c,v 1.157 2002/09/25 19:56:53 chrisgreen Exp $ */
> the comment at line 288 indicates that the daemon forking code has 
> to be executed before the interface is opened, but in the current 
> code it is being opened earlier, in line 229. 
> I'm seeing this problem on a Red-Hat 7.3 machine with kernel 
> 2.4.18-3, in console mode it works fine, but when -D is specified it 
> toggles the interface in and out of promiscuous mode and leaves it 
> in non-promiscuous mode.  There is a current thread on snort-
> users, subject: Promiscuous mode, where several others describe 
> the same problem.

There used to be a ifndef HPUX kludge that could be responsible.

The interface should stay in promiscuous mode following the call to
GoDaemon but for some reason, it appears that it looses that.  It's
entirely possible that the fd's it's closing and duping in daemon

I'll ask again ( asked back around 5/15/02 )....

What is happening on linux?  There used to be a

#ifndef HPUX
   /* kludge for Linux */
#endif /* HPUX */

I can add that back with only doing it from Linux but in the past on
Linux, there was when it would toggle between the two and always end
up not in promisc mode and when that was originally there, it would
end up exiting in promisc mode then toggling it to non.

Additionally, on other platforms, it would leak bpf descriptors.
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-devel mailing list