[Snort-users] promiscuous mode problem

Lawrence Rosen rosen at ...1506...
Thu Mar 8 11:03:50 EST 2001


        I recently installed a snort-1.7-1.i386.rpm on my dual processer

DELL box running RedHat 6.2.  I'm missing some functionality.

Starting the snort daemon at boot time doesn't put the ethernet
interface into promiscuous mode.  I issued the command 'ifconfig eth0
promisc' to configure eth0 as shown below.  This doesn't seem correct
based on my reading of the documentation.  libpcap-0.4-1.9 is the
version installed.  Thanks in advance for an advice about the situation.



==========================================================================

eth0      Link encap:Ethernet  HWaddr 00:B0:D0:3D:96:09
          inet addr:129.236.21.85  Bcast:129.236.21.255
Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2939 errors:0 dropped:0 overruns:1 frame:0
          TX packets:851 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:16 Base address:0xdc80

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:893 errors:0 dropped:0 overruns:0 frame:0
          TX packets:893 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
==========================================================================

The command used during boot to start snort in its daemon mode is;

INTERFACE=eth0
daemon /usr/sbin/snort -u snort -g snort -s -d -D -i $INTERFACE -l
/var/log/snort -c /etc/snort/snort.conf
============================================================================

        Despite putting the ethernet card in promiscusous mode, snort
reports SYN stealth and other nmap scans when they are directed at
this particular machine but not at other machines on the subnet.

        Snort does however,report things of the following kind,

MISC Large UDP Packet: 129.236.110.79:0 -> 129.236.21.203:0

        which suggests it is able to match certain kinds of packets
with its rule sets (UPDATED 02/21/2001) .

        The machine is located on an ethernet subnet.  The snort.conf
file has the following entries;

var HOME_NET 129.236.21.0/24
var EXTERNAL_NET !129.236.21.0/24
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var DNS_SERVERS [129.236.10.30/32,129.236.10.20/32,129.236.21.202/32]

preprocessor minfrag: 128
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS

include /etc/snort/local.rules
include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/smtp.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/backdoor.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/netbios.rules
include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-misc.rules
include /etc/snort/web-iis.rules
include /etc/snort/icmp.rules
include /etc/snort/misc.rules
# include policy.rules
# include info.rules





More information about the Snort-users mailing list