AW: [Snort-devel] check for promiscious mode needed ?

Andreas Wurzinger andreas.wurzinger at ...1953...
Fri Apr 25 05:57:08 EDT 2003


On Wed, 23 Apr 2003, Andreas Wurzinger wrote:

> last week I had the phenomenon that snort died and as I tried to restart
> him it always came up properly but didn't detect anything. After doing 
some
> diagnosis on snort I discovered that when snort was not running the nic 
was
> in promiscious mode and when snort came up the card switched over to
> "normal mode" leaving the promiscious state.
>
> Is it possible that there's a little check needed in snort to proove 
wether
> the promiscious mode on the sensor nic is already enabled or not ?

Lemmee guess, you're on Linux?  Linux tends to implement the promisc
setting as a flag.  Set it once, and it's on.  Set it twice and it's off.
Set it three times and it's on.

Should Snort check?  *shrug*  That's a coder decsion.  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson
[Andreas Wurzinger]

Hi Erek,

youre right - its LINUX.

With that knowledge in mind its ok for me to deal with "sniffing-problems" 
on snort, but, anyway, a check wether the prom. mode is entered or not 
would be very *nice*


Andreas Wurzinger




More information about the Snort-devel mailing list