[Snort-users] eth0 leaving promiscuous mode

Marko Jennings marko at ...303...
Wed Oct 25 02:09:30 EDT 2000


Yes, I was, until Fyofor asked me the same question. :-)
As soon as I stopped using the -D option, it started working the way I
expected it to work.

Marko

Martin Roesch wrote:
> 
> Are you running in daemon mode?
> 
>     -Marty
> 
> Marko Jennings wrote:
> >
> > Hi,
> >
> > I am running snort-1.6.3-patch2 on a Pentium 133MHz with 96MB of RAM
> > under Red Hat 6.2 (2.2.14-5.0 kernel).  My problem is that the network
> > card seems to be leaving promiscuous mode immediately after it enters it
> > when snort starts.  Because of that, only traffic to and from it's
> > address is being analyzed.  Below are relevant syslog messages.
> >
> > Oct 14 21:08:46 usdtwids0001 kernel: snort uses obsolete
> > (PF_INET,SOCK_PACKET)
> > Oct 14 21:08:46 usdtwids0001 kernel: device eth0 entered promiscuous
> > mode
> > Oct 14 21:08:46 usdtwids0001 kernel: device eth0 left promiscuous mode
> > Oct 14 21:08:46 usdtwids0001 snort:
> > Oct 14 21:08:46 usdtwids0001 snort: Initializing Network Interface...
> > Oct 14 21:08:46 usdtwids0001 snort: Initializing daemon mode
> > Oct 14 21:08:46 usdtwids0001 snort: Starting NIDS succeeded
> >
> > I have another box where this does not happen, and I don't know what is
> > making the difference.  I tried three different network cards (two
> > 3com's and one Intel) and nothing changed.
> >
> > I would greatly appreciate any help.
> >
> > Sincerely,
> >
> > Marko Jennings
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org



More information about the Snort-users mailing list