[Snort-devel] check for promiscious mode needed ?

Erek Adams erek at ...835...
Wed Apr 23 09:10:46 EDT 2003


On Wed, 23 Apr 2003, Andreas Wurzinger wrote:

> last week I had the phenomenon that snort died and as I tried to restart
> him it always came up properly but didn't detect anything. After doing some
> diagnosis on snort I discovered that when snort was not running the nic was
> in promiscious mode and when snort came up the card switched over to
> "normal mode" leaving the promiscious state.
>
> Is it possible that there's a little check needed in snort to proove wether
> the promiscious mode on the sensor nic is already enabled or not ?

Lemmee guess, you're on Linux?  Linux tends to implement the promisc
setting as a flag.  Set it once, and it's on.  Set it twice and it's off.
Set it three times and it's on.

Should Snort check?  *shrug*  That's a coder decsion.  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list