Snort mailing list archives
Re: disabling promiscuous mode sniffing
From: Bennett Todd <bet () rahul net>
Date: Thu, 20 Feb 2003 12:31:40 -0500
2003-02-19T14:05:24 Rob Burris:
The -p option is used to disable promiscuous mode sniffing.
Right.
I use it as the first option when starting snort from the command line.
That should work fine.
I am still getting reports of scans to different hosts on my network.
Snort will be seeing all packets sent to or originated from your host, even without promiscuous mode --- all promisc does is allow packets that arrive on your interface even though they are neither to nor from your host, to be accepted by the NIC and passed up the stack at least to the packet capture interface. If your host is either the src or the dest of these portscan reports then this would not be surprising. Note that a portscan alert doesn't necessarily mean that a portscan is in progress, the portscan preprocessors (portscan and portscan2) false-positive on servers that interact with many clients, as well as clients that interact with many different servers.
After starting snort is there a way to check and see if snort did NOT start in promiscuous mode?
That depends on your platform; you didn't say what platform you're using. As far as I know, there's one answer for Linux, and a different answer for all other Unixes. I've no idea the answer for Windows. Under most Unixes, "ifconfig -a" (or "ifconfig interfacename" to list only the info for your ethernet interface) will list PROMISC among the flags for a promiscuous interface. There's a problem with the model implied by that behavior, that "promisc" is a flag associated with the interface, rather than with a process's open handle to that interface. Consider if you start snort at boot time, from an init script, and just leave it running. Now consider further if you should want to run tcpdump for a moment to debug some networking problem. (These are for example, the problem shows whenever you are using multiple programs that want to put the interface in promisc). Snort will have set the interface to promisc. Tcpdump will set it to promisc, having no effect, it'll listen on the promisc interface as well, that also works fine, both processes will receive all the packets they ask for. When tcpdump exits, it will reset the interface turning off the promisc, and snort won't know about it. Problem. Linux addressed this by effectively associating the promisc bit not with the interface, but rather with the process's handle open on that interface; this means that in the above scenario, snort's promisc handle wouldn't be effected by tcpdump clearing promisc as it exits; it also means that ifconfig no longer reports promisc on interfaces unless you've used ifconfig to set the promisc bit permanently (needed e.g. for promisc sniffing on bonded interfaces)[1]. The upshot is that at least on Linux, to tell if any process has an interface open promisc, you need to "ip link show eth0" (or eth1, or whatever interface you're interested in). It _will_ include the PROMISC bit if any process has that interface promisc. -Bennett [1] Bonding ties multiple interfaces --- e.g. eth1 and eth2 --- together into one logical interface, e.g. bond0. This is valuable e.g. when you want to join together the output from both directions when using a network tap, so one snort process can see the aggregated data as needed for tcp session reassembly and perhaps other things as well. The bonding driver wasn't really designed for snorting, though, it was designed for etherchannel-style aggregation, and for high-availability failover designs. Bonding's handling of promisc is a little curious. If you just use the normal bonding setup: ifconfig bond0 up ifconfig eth1 up ifenslave bond0 eth1 ifconfig eth2 up ifenslave bond0 eth2 snort -i bond0 ... the bond0 interface will be set to promisc by snort, but the bonding driver won't propogate it down to the underlying physical interfaces. That propogation is only done at ifenslave time, not when promisc is later set on the bonding driver. The fix is to "ifconfig bond0 promisc up"; then when you ifenslave each of the underlying physical interfaces will also be set promisc. And all of them will show their promisc status in ifconfig output.
Attachment:
_bin
Description:
Current thread:
- disabling promiscuous mode sniffing Rob Burris (Feb 19)
- Re: disabling promiscuous mode sniffing twig les (Feb 19)
- Re: disabling promiscuous mode sniffing Rob Burris (Feb 19)
- Re: disabling promiscuous mode sniffing Nigel Houghton (Feb 19)
- Re: disabling promiscuous mode sniffing Bennett Todd (Feb 20)
- Re: disabling promiscuous mode sniffing twig les (Feb 19)