Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort startup forcing NIC to leave promiscuous mode???

From: "John Lewis" <jnlewis () arachnerd com>
Date: Tue, 2 Jul 2002 10:47:47 -0400
RedHat 7.3 with latest updates
Snort 1.8.6 compiled from source

When snort is starting, it is setting its eth1 to non-promiscuous mode.
When it quits, it sets the nic back to promiscuous.  Here is what I see
in /var/log/messages

Jul  2 10:21:20 babylon snort: Snort received signal 15, exiting 
Jul  2 10:21:20 babylon kernel: eth1: Setting promiscuous mode.
Jul  2 10:21:20 babylon kernel: device eth1 entered promiscuous mode
Jul  2 10:21:20 babylon snortd: snort shutdown succeeded
Jul  2 10:21:20 babylon kernel: eth1: Setting promiscuous mode.
Jul  2 10:21:21 babylon snort: WARNING: OpenPcap() device eth1 network
lookup:  ^Ieth1: no IPv4 address assigned 
Jul  2 10:21:21 babylon snort: Initializing daemon mode 
Jul  2 10:21:21 babylon snortd: snort startup succeeded
Jul  2 10:21:21 babylon kernel: device eth1 left promiscuous mode
Jul  2 10:21:21 babylon snort: WARNING: OpenPcap() device eth1 network
lookup:  ^Ieth1: no IPv4 address assigned 
Jul  2 10:21:21 babylon snort: PID stat checked out ok, PID set to
/var/run/ 
Jul  2 10:21:21 babylon snort: Writing PID file to "/var/run/" 
Jul  2 10:21:24 babylon snort: Snort initialization completed
successfully, Snort running

I'm using the startups script from
http://msbnetworks.net/snort/snortd.txt, which has the following
startup:

# Specify your network interface here
INTERFACE=eth1

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        ifconfig eth1 up
        daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c
/etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;
  stop)

So if snort is setting promiscous to off, then it must be on by default.
Anyone know how to change this in Redhat?  I'm running this on a small
P200 box, so no xwindows...

Thanks.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: