Snort mailing list archives
Snort dies
From: "Pablo Venini" <pvenini () mervaros com ar>
Date: Tue, 23 May 2006 12:03:24 -0300
Hi, I'm doing my first snort installation. I installed it without problems and configured it to log alerts via syslog. Everything seems OK, but after running for a while it dies, sending the following message to syslog: May 23 10:49:39 localhost kernel: eth0.7: dev_set_promiscuity(master, -1) May 23 10:49:39 localhost kernel: device eth0.7 left promiscuous mode This seems to occur whenever the following traffic is detected May 23 10:49:39 localhost snort[8729]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY <eth0.7> {TCP} xxx.xxx.xxx.xxx:59635 -> xxx.xxx.xxx.xxx:80 This traffic originates in my internal network and goes to MSN services like Hotmail and WebMessenger. I'm using Snort 2.4.4 with the current ruleset, running on a Red Hat Linux box with kernel version 2.4.20-8. I'm also using logsurfer to scan the syslog file and send alerts via mail. The NIC is an Intel PRO1000 GT with VLAN suport enabled in the kernel; it has 7 subinterfaces but I'm running snort in only one of them. The box is also running tcpdump in another subinterface.
Current thread:
- Snort dies Pablo Venini (May 23)