[Snort-users] eth0 leaving promiscuous mode

Gene R. Gomez ggomez at ...677...
Wed Oct 25 16:01:55 EDT 2000


Marty and all,
I've been looking at an identical problem on my Red Hat Linux 7.0 box.
Essentially, I stole and modified some of the scripts from the snort-1.6.0
rpm contributed by Henry Gomez, and replaced the snort binary with the one
from the snort-1.6.3-patch2 source.
What I'm finding is that when I issue:

/etc/init.d/snort restart

I'm getting:

Stopping snort:					[  OK  ]
Starting snort: eth0: Setting promiscuous mode
eth0: Setting promiscuous mode		[  OK  ]

However, swapping this with snort-1.6.3 (which doesn't exhibit these
symptoms), I get:

Stopping snort:					[  OK  ]
Starting snort: eth0: Setting promiscuous mode
							[  OK  ]

And, of course, as noted below, the kernel is actually setting promiscuous
mode.  I'm not a Linux guru by far, but I suspect that this means there's a
0/1 toggle that's getting set twice by snort-1.6.3-patch2, but not
snort-1.6.3.  At first I targetted the /proc/sys/net series of entries, but
I don't know enough about packet capture to know how the kernel would set
promiscuous.
Because of this, I'm now using snort-1.6.3, not snort-1.6.3-patch2.  I had
problems originally with snort-1.6.3 crashing every 5-10 minutes on my box,
but after updating glibc (thanks to Joseph Carnahan for clueing me in), it
has stabilized.
Oddly enough, if I restarted snort-1.6.3-patch2 with -D enough times,
eventually it WOULD stay in promiscuous mode, but I was doing other things
on other virtual consoles, so there's no telling what sequence of events
would lead to it working.
If there's anything I can do to help (as I said, I'm no guru by far), please
drop me a line.

-Gene

-----Original Message-----
From: Martin Roesch [mailto:roesch at ...421...]
Sent: Tuesday, October 24, 2000 11:03 PM
To: Marko Jennings
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] eth0 leaving promiscuous mode


Are you running in daemon mode?

    -Marty

Marko Jennings wrote:
> 
> Hi,
> 
> I am running snort-1.6.3-patch2 on a Pentium 133MHz with 96MB of RAM
> under Red Hat 6.2 (2.2.14-5.0 kernel).  My problem is that the network
> card seems to be leaving promiscuous mode immediately after it enters it
> when snort starts.  Because of that, only traffic to and from it's
> address is being analyzed.  Below are relevant syslog messages.
> 
> Oct 14 21:08:46 usdtwids0001 kernel: snort uses obsolete
> (PF_INET,SOCK_PACKET)
> Oct 14 21:08:46 usdtwids0001 kernel: device eth0 entered promiscuous
> mode
> Oct 14 21:08:46 usdtwids0001 kernel: device eth0 left promiscuous mode
> Oct 14 21:08:46 usdtwids0001 snort:
> Oct 14 21:08:46 usdtwids0001 snort: Initializing Network Interface...
> Oct 14 21:08:46 usdtwids0001 snort: Initializing daemon mode
> Oct 14 21:08:46 usdtwids0001 snort: Starting NIDS succeeded
> 
> I have another box where this does not happen, and I don't know what is
> making the difference.  I tried three different network cards (two
> 3com's and one Intel) and nothing changed.
> 
> I would greatly appreciate any help.
> 
> Sincerely,
> 
> Marko Jennings




More information about the Snort-users mailing list