Re: disabling promiscuous mode sniffing

[Bennett Todd <bet () rahul net>]

2003-02-19T14:05:24 Rob Burris:
> The -p option is used to disable promiscuous mode sniffing.

Right.

> I use it as the first option when starting snort from the command
> line.

That should work fine.

> I am still getting reports of scans to different hosts on my
> network.

Snort will be seeing all packets sent to or originated from your
host, even without promiscuous mode --- all promisc does is allow
packets that arrive on your interface even though they are neither
to nor from your host, to be accepted by the NIC and passed up the
stack at least to the packet capture interface.

If your host is either the src or the dest of these portscan reports
then this would not be surprising. Note that a portscan alert
doesn't necessarily mean that a portscan is in progress, the
portscan preprocessors (portscan and portscan2) false-positive on
servers that interact with many clients, as well as clients that
interact with many different servers.

> After starting snort is there a way to check and see if snort did
> NOT start in promiscuous mode?

That depends on your platform; you didn't say what platform you're
using. As far as I know, there's one answer for Linux, and a
different answer for all other Unixes. I've no idea the answer for
Windows.

Under most Unixes, "ifconfig -a" (or "ifconfig interfacename" to
list only the info for your ethernet interface) will list PROMISC
among the flags for a promiscuous interface.

There's a problem with the model implied by that behavior, that
"promisc" is a flag associated with the interface, rather than with
a process's open handle to that interface. Consider if you start
snort at boot time, from an init script, and just leave it running.
Now consider further if you should want to run tcpdump for a moment
to debug some networking problem. (These are for example, the
problem shows whenever you are using multiple programs that want to
put the interface in promisc).

Snort will have set the interface to promisc.

Tcpdump will set it to promisc, having no effect, it'll listen on
the promisc interface as well, that also works fine, both processes
will receive all the packets they ask for.

When tcpdump exits, it will reset the interface turning off the
promisc, and snort won't know about it. Problem.

Linux addressed this by effectively associating the promisc bit
not with the interface, but rather with the process's handle
open on that interface; this means that in the above scenario,
snort's promisc handle wouldn't be effected by tcpdump clearing
promisc as it exits; it also means that ifconfig no longer reports
promisc on interfaces unless you've used ifconfig to set the
promisc bit permanently (needed e.g. for promisc sniffing on bonded
interfaces)[1].

The upshot is that at least on Linux, to tell if any process has an
interface open promisc, you need to "ip link show eth0" (or eth1,
or whatever interface you're interested in). It _will_ include the
PROMISC bit if any process has that interface promisc.

-Bennett

[1] Bonding ties multiple interfaces --- e.g. eth1 and eth2 ---
together into one logical interface, e.g. bond0. This is valuable
e.g. when you want to join together the output from both directions
when using a network tap, so one snort process can see the
aggregated data as needed for tcp session reassembly and perhaps
other things as well. The bonding driver wasn't really designed for
snorting, though, it was designed for etherchannel-style
aggregation, and for high-availability failover designs. Bonding's
handling of promisc is a little curious. If you just use the normal
bonding setup:

        ifconfig bond0 up
        ifconfig eth1 up
        ifenslave bond0 eth1
        ifconfig eth2 up
        ifenslave bond0 eth2
        snort -i bond0 ...

the bond0 interface will be set to promisc by snort, but the bonding
driver won't propogate it down to the underlying physical
interfaces. That propogation is only done at ifenslave time, not
when promisc is later set on the bonding driver.

The fix is to "ifconfig bond0 promisc up"; then when you ifenslave
each of the underlying physical interfaces will also be set promisc.
And all of them will show their promisc status in ifconfig output.

Attachment: _bin
Description: