Snort mailing list archives
Re: ifconfig may not correctly show
From: lists <echo () beltrani com>
Date: Fri, 15 Aug 2003 16:53:05 -0400 (EDT)
On Fri, 15 Aug 2003, John Creegan wrote:
This is good to know (and definitely where I am at). Any idea how to port this info to Solaris 8 on a SUN Ultra 5? There's no "ip" command there.
I don't know that this is the same issue you're experiencing under Solaris. As for another tool to determine promiscuous mode, you may want to look at ifpromisc which is part of chkrootkit available at http://www.chkrootkit.org/ . I haven't used it myself but the site states it has been tested under under Solaris 2.5.1 and 2.6. - Paul Beltrani
Paul Beltrani wrote: This appears to be a common thread/question for snort users but it isn't in the FAQ. In fact the FAQ may be incorrect in suggesting people use "ifconfig" to determine promiscuous mode. A net search shows many people are confused because: 1) They expect snort to put the network interface into promiscuous mode. 2) The alerts snort returns imply the interface IS in promiscuous mode. 3) They then run ifconfig and it does not show the interface is in promiscuous mode. I found some references that would indicate ifconfig under linux does NOT always report the correct state of promiscuous mode on an interface. See: http://marc.theaimsgroup.com/?l=snort-users&m=99249371217700&w=2 http://www.ussg.iu.edu/hypermail/linux/net/0101.2/0060.html FWIW, the "ip" command from the iproute package DOES appear to return the correct state of the interface when running snort.The following output is from a RH9.0 system running the 2.4.20-19.9 Kernel and using a 3com 509 NIC. /sbin/ip link show 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fastqlen 100link/ether 00:60:97:81:37:9b brd ff:ff:ff:ff:ff:ff/sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:60:97:81:37:9B inet addr:xx.xx.xx.xx Bcast:xxx.xxx.xxx.xxxMask:xxx.xxx.xxx.xxxUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5151010 errors:28 dropped:0 overruns:34 frame:28 TX packets:1579623 errors:0 dropped:0 overruns:0 carrier:0 collisions:12141 txqueuelen:100 RX bytes:491015762 (468.2 Mb) TX bytes:298061933 (284.2Mb)Interrupt:5 Base address:0x300 Note: A) "ip" correctly indicates the NIC is in promiscuous mode. B) "ifconfig" does NOT indicate promiscuous mode - Paul BeltraniThis message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ifconfig may not correctly show lists (Aug 15)