[Snort-users] Promiscuous mode

Gene Gomez gegomez at ...6324...
Thu Oct 31 12:53:04 EST 2002


Same here; I'm running Snort 1.9.0 on Red Hat 8.0.  Here's a sample from my
logs:

Oct 31 09:02:41 shadowcat kernel: device eth0 entered promiscuous mode
Oct 31 09:02:41 shadowcat snort: Initializing daemon mode
Oct 31 09:02:41 shadowcat kernel: device eth0 left promiscuous mode

I've got two interfaces and two instances of snort; same occurs on both.  I
"fixed" it by adding this to my startup script:

	ifconfig eth0 promisc
	ifconfig eth1 promisc

And this to my stop script:

	ifconfig eth0 -promisc
	ifconfig eth1 -promisc

Pretty lame, but it gets it working.  :)

Gene

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Eli Stair
Sent: Thursday, October 31, 2002 1:20 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Promiscuous mode


I'm having the same issue as you guys.  Snort 1.9 CVS current, kernel
2.4.19.
It was happening with 1.8.7 as well.

/eli

On Wed, 30 Oct 2002 17:30:12 +0000
quentyn at ...3871... wrote:

> Paul Enlund wrote:
> >
> > Tried upgrading from Snort 1.8.6 to 1.9 on a Debian 2.2.20 system
> > and I find that the eth0 interface enters promiscuous mode then
> > returns back to normal.
> >
> > Options used are.
> >
> > start-stop-daemon --start --quiet --exec $DAEMON -- \
> >    -D -c /etc/snort/snort.conf \
> >    -l /var/log/snort/ \
> >    -b
> >
> > I also tried 1.8.7 and this also suffers the same problem I find with
> > 1.9
> >
> > Anybody seen this before and know the solution ?
> >
> > Paul Enlund
>
>
http://groups.google.com/groups?q=quentyn&hl=en&lr=&ie=UTF-8&oe=UTF-8&scorin
g=d&selm=amdaji%24kc1%241%40FreeBSD.csie.NCTU.edu.tw&rnum=5
>
> I saw it as well
>
> however when I built a new snort box with snort 1.9.0 the problem hasn't
> manifested it's self yet ( I had forgotten till I saw your post)
>
> I *think* it was a bug in 1.8.7 though with no proof or time to
> investigate I left it
>
> Q
>
> --
> #####################
> Quentyn Taylor
> Sysadmin - Fotango
> #####################
> There's too much blood in my caffeine system.












More information about the Snort-users mailing list