Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Promiscuous mode

From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 14 Aug 2003 10:00:21 -0500
I'm reading what appears to be somewhat conflicting or at least
inconclusive stuff.  In the archives I see statements such as "When
snort comes up it puts the NIC in promiscuous mode" + "You can check
that with ifconfig", etc...

I'm running snort 2.0.1 on Solaris 8 on a 64-bit sun5.  We've compiled
for 32-bit.

I've got 2 NICs: hme0 and hme1.  hme0 allows IPv6 over IPv4, and is the
sniffer interface.  hme1 is the management interface.

hme0 is on a hub which is fed by the firewall so I can see all the
packets coming in from the firewall.  (I know I'm losing full-duplex
capabilities, but this is considered a testbed, and is the first install
of snort in the company).

Using ACID, I'm seeing traffic from all over the network (not just
packets destined for the sniffer IP address), which tells me that the
card is in some way in promiscuous mode.

I also read that libpcap lifts ALL the packets off the NIC, which
suggests to me that even when ifconfig does not report that the sniffer
interface is in promiscuous mode that I'm getting all the packets
anyway, a conclusion apparently supported by what I'm seeing out of
ACID.

It also doesn't seem to matter whether the sniffer interface is up or
down, also supportive of what libpcap is supposed to do.

I'm thinking that "brings the interface up in promiscuous mode" is a
bit of a misnomer.  That appears to be the effect because of libpcap. 
I'm thinking that "libpcap hands the IP stack all the packets off the
sniffer interface as if it were in promiscuous mode" is more accurate.

I think all is well, but I'd like to hear a definitive "yes" so I can
get onto some serious rule management.

Thanks!


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: