[Snort-users] eth0 leaving promiscuous mode

Martin Roesch roesch at ...421...
Thu Nov 23 00:51:49 EST 2000


Hi Gene,
     Libpcap is stupid about how it sets promiscuous mode.  It doesn't check
before running the syscall to toggle promisc mode, so if its already in
promisc mode it turns it back off.  Libpcap bug. Maybe there's something we
can do...

   -Marty

"Gene R. Gomez" wrote:
> 
> Marty and all,
> I've been looking at an identical problem on my Red Hat Linux 7.0 box.
> Essentially, I stole and modified some of the scripts from the snort-1.6.0
> rpm contributed by Henry Gomez, and replaced the snort binary with the one
> from the snort-1.6.3-patch2 source.
> What I'm finding is that when I issue:
> 
> /etc/init.d/snort restart
> 
> I'm getting:
> 
> Stopping snort:                                 [  OK  ]
> Starting snort: eth0: Setting promiscuous mode
> eth0: Setting promiscuous mode          [  OK  ]
> 
> However, swapping this with snort-1.6.3 (which doesn't exhibit these
> symptoms), I get:
> 
> Stopping snort:                                 [  OK  ]
> Starting snort: eth0: Setting promiscuous mode
>                                                         [  OK  ]
> 
> And, of course, as noted below, the kernel is actually setting promiscuous
> mode.  I'm not a Linux guru by far, but I suspect that this means there's a
> 0/1 toggle that's getting set twice by snort-1.6.3-patch2, but not
> snort-1.6.3.  At first I targetted the /proc/sys/net series of entries, but
> I don't know enough about packet capture to know how the kernel would set
> promiscuous.
> Because of this, I'm now using snort-1.6.3, not snort-1.6.3-patch2.  I had
> problems originally with snort-1.6.3 crashing every 5-10 minutes on my box,
> but after updating glibc (thanks to Joseph Carnahan for clueing me in), it
> has stabilized.
> Oddly enough, if I restarted snort-1.6.3-patch2 with -D enough times,
> eventually it WOULD stay in promiscuous mode, but I was doing other things
> on other virtual consoles, so there's no telling what sequence of events
> would lead to it working.
> If there's anything I can do to help (as I said, I'm no guru by far), please
> drop me a line.
> 
> -Gene
> 
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...421...]
> Sent: Tuesday, October 24, 2000 11:03 PM
> To: Marko Jennings
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] eth0 leaving promiscuous mode
> 
> Are you running in daemon mode?
> 
>     -Marty
> 
> Marko Jennings wrote:
> >
> > Hi,
> >
> > I am running snort-1.6.3-patch2 on a Pentium 133MHz with 96MB of RAM
> > under Red Hat 6.2 (2.2.14-5.0 kernel).  My problem is that the network
> > card seems to be leaving promiscuous mode immediately after it enters it
> > when snort starts.  Because of that, only traffic to and from it's
> > address is being analyzed.  Below are relevant syslog messages.
> >
> > Oct 14 21:08:46 usdtwids0001 kernel: snort uses obsolete
> > (PF_INET,SOCK_PACKET)
> > Oct 14 21:08:46 usdtwids0001 kernel: device eth0 entered promiscuous
> > mode
> > Oct 14 21:08:46 usdtwids0001 kernel: device eth0 left promiscuous mode
> > Oct 14 21:08:46 usdtwids0001 snort:
> > Oct 14 21:08:46 usdtwids0001 snort: Initializing Network Interface...
> > Oct 14 21:08:46 usdtwids0001 snort: Initializing daemon mode
> > Oct 14 21:08:46 usdtwids0001 snort: Starting NIDS succeeded
> >
> > I have another box where this does not happen, and I don't know what is
> > making the difference.  I tried three different network cards (two
> > 3com's and one Intel) and nothing changed.
> >
> > I would greatly appreciate any help.
> >
> > Sincerely,
> >
> > Marko Jennings

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list