Snort mailing list archives

Snort "promiscuous mode disabled...

From: "FRANCIS PROVENCHER" <francis.provencher () msp gouv qc ca>
Date: Fri, 11 May 2007 09:41:49 -0400

Hi all,
 
I'v install a snort instance on my Laptop, Freebsd  box.
i start the process  /usr/local/etc/rc.d/snort start
 
 
I look on my /var/log/message
 
MyPC# /usr/local/etc/rc.d/snort start
Starting snort.
MyPC# ps aux | grep snort
root     2638 92.2 15.6 157376 120856  ??  Rs    9:34AM   0:06.17 /usr/local/bin/snort -Dq -c 
/usr/local/etc/snort/snort.conf

I start ok, but 2 minutes later i see this message on;
 
 
May 11 09:34:32  snort[2637]:       Are You There Threshold: 200
May 11 09:34:32  snort[2637]:       Normalize: YES
May 11 09:34:32  snort[2637]:       Detect Anomalies: NO
May 11 09:34:32  snort[2637]:     FTP CONFIG:
May 11 09:34:32  snort[2637]:       FTP Server: default
May 11 09:34:32  snort[2637]:         Ports: 21
May 11 09:34:32  snort[2637]:         Check for Telnet Cmds: YES alert: YES
May 11 09:34:32  snort[2637]:         Identify open data channels: YES
May 11 09:34:32  snort[2637]:       FTP Client: default
May 11 09:34:32 snort[2637]:         Check for Bounce Attacks: YES alert: YES
May 11 09:34:32  snort[2637]:         Check for Telnet Cmds: YES alert: YES
May 11 09:34:32 snort[2637]: SMTP Config:
May 11 09:34:32  snort[2637]:       Ports:
May 11 09:34:32  snort[2637]: 25
May 11 09:34:32  snort[2637]:
May 11 09:34:32  snort[2637]:       Inspection Type:            STATEFUL
May 11 09:34:32 snort[2637]:       Normalize Spaces:           YES
May 11 09:34:32 snort[2637]:       Ignore Data:                NO
May 11 09:34:32  snort[2637]:       Ignore TLS Data:            NO
May 11 09:34:32  snort[2637]:       Ignore Alerts:              NO
May 11 09:34:32 snort[2637]:       Max Command Length:         0
May 11 09:34:32  snort[2637]:       Max Header Line Length:     0
May 11 09:34:32  snort[2637]:       Max Response Line Length:   0
May 11 09:34:32  snort[2637]:       X-Link2State Alert:         YES
May 11 09:34:32  snort[2637]:       Drop on X-Link2State Alert: NO
May 11 09:34:32  snort[2637]:  DCE/RPC Decoder config:
May 11 09:34:32  snort[2637]:     Autodetect ports ENABLED
May 11 09:34:32  snort[2637]:     SMB fragmentation ENABLED
May 11 09:34:32  snort[2637]:     Obsolete DNS RR Types Alert: INACTIVE
May 11 09:34:32  snort[2637]:     Experimental DNS RR Types Alert: INACTIVE
May 11 09:34:32  snort[2637]:     Ports:
May 11 09:34:32  snort[2637]:  53
May 11 09:34:32  snort[2637]:
May 11 09:34:32  snort[2637]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
May 11 09:34:32  snort[2637]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
May 11 09:34:32 snort[2637]: 303 out of 512 flowbits in use.
May 11 09:34:32 snort[2637]: *** *** interface device lookup found: rl0 ***
May 11 09:34:32 snort[2637]: Initializing daemon mode
May 11 09:34:32  snort[2638]: PID path stat checked out ok, PID path set to /var/run/
May 11 09:34:32  snort[2638]: Writing PID "2638" to file "/var/run//snort_rl0.pid"
May 11 09:34:32  snort[2637]: Daemon parent exiting

May 11 09:35:23 MyPc rl0: promiscuous mode disabled
 
I dont know why this doing this, it always work before...
Did you know why, the promuscuous mode disabled?
What can cause this?

Thanks for your help
 
Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
Courriel:   Francis.provencher () Msp gouv qc ca 
 
CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +

Attachment: FRANCIS PROVENCHER4.vcf
Description:

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort "promiscuous mode disabled... FRANCIS PROVENCHER (May 11)
- Re: Snort "promiscuous mode disabled... Paul Melson (May 11)