[Snort-users] Promiscuous mode

Derek Glidden dglidden at ...7172...
Wed Oct 30 09:30:06 EST 2002


On Wed, 2002-10-30 at 11:25, Paul Enlund wrote:
> Tried upgrading from Snort 1.8.6 to 1.9 on a Debian 2.2.20 system
> and I find that the eth0 interface enters promiscuous mode then
> returns back to normal.
> 
> Options used are.
> 
> start-stop-daemon --start --quiet --exec $DAEMON -- \
>    -D -c /etc/snort/snort.conf \
>    -l /var/log/snort/ \
>    -b
> 
> I also tried 1.8.7 and this also suffers the same problem I find with
> 1.9
> 
> Anybody seen this before and know the solution ?

I have the same problem.  Debian 2.2 and 3.0 systems with 2.4.18
kernels.  Interestingly, if I DON'T use "-D", the interface stays in
promisc mode, however, I need these probes to be running in the
background.

I "solved" it by adding "ifconfig eth0 promisc" to the startup script,
immediately after starting snort.  :P

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72, at z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0, at z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for at ...1981...[128..$#a]}
print+x"C*", at a}';s/x/pack+/g;eval 

usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
    | extract_mpeg2 | mpeg2dec - 

         http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/                   http://www.anti-dmca.org/





More information about the Snort-users mailing list