Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FreeBSD promisc not working properly

From: B Keffer <kefferb () wam umd edu>
Date: Fri, 3 Aug 2001 10:31:10 -0400 (EDT)
I just noticed a problem with snort on my FreeBSD 4.1 firewall.
I am running snort Version 1.8-RELEASE (Build 43)

Snort running on the external interface does not seem to be catching all
network traffic despite being in promiscuous mode while the inside
interface works.

The firewall has two identical interfaces internal/external each one runs 
a separate snort process listening. Configuration files are nearly
identical only the IP's are different. I start snort on the external net
with '/usr/local/bin/snort -c /etc/snort/snort.dmz.conf -D -i ed0'
and similarly on the internal.

The logs report
/kernel: ed0: promiscuous mode enabled
and ifconfig reports the interface in promiscuous
ed0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

Also if I run tcpdump I can sniff all traffic on the external network

Despite all this snort on the external interface will not catch traffic
which is not destined for the machine while the internal interface catches
everything correctly.

I just upgraded to 1.8 because I was having similar problems on 1.7.  It
had worked at one time and sorry but I don't know what caused it to stop
working. Any ideas why this would happen? Any help would be appreciated
                                        Thanks
                                          Brian



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: