[Snort-users] Snort dies

Pablo Venini pvenini at ...13824...
Tue May 23 08:03:06 EDT 2006


Hi, I'm doing my first snort installation. I installed it without problems and configured it to log alerts via syslog.  Everything seems OK, but after running  for a while it dies, sending the following message to syslog:

May 23 10:49:39 localhost kernel: eth0.7: dev_set_promiscuity(master, -1)
May 23 10:49:39 localhost kernel: device eth0.7 left promiscuous mode

This seems to occur whenever the following traffic is detected

May 23 10:49:39 localhost snort[8729]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY <eth0.7> {TCP} xxx.xxx.xxx.xxx:59635 -> xxx.xxx.xxx.xxx:80

This traffic originates in my internal network and goes to MSN services like Hotmail and WebMessenger.

I'm using Snort 2.4.4 with the current ruleset, running on a Red Hat Linux box with kernel version 2.4.20-8. I'm also using logsurfer to scan the syslog file and send alerts via mail. The NIC is an Intel PRO1000 GT with VLAN suport enabled in the kernel; it has 7 subinterfaces but I'm running snort in only one of them. The box is also running tcpdump in another subinterface.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060523/ca0cce72/attachment.html>


More information about the Snort-users mailing list