Snort PROMISC question

fenriswolf · 02-13-2003, 02:47 PM

Okay, I'm running snort. It starts up at when I boot the box, and if I check /var/log/messages, it says it sets eth0 to promiscuous, like it should. When i do an ifconfig on eth0, it doesnt say Promisc though...any ideas?

I could manually set it to promiscuous, but I dont really think that would solve the problem....

any ideas?

unSpawn · 02-13-2003, 03:30 PM

IIRC it has to do with tools utilizing libpcap vs. the kernels' IOCTL gizmoids, anyway I haven't seen it block Snort functionality.

fenriswolf · 02-13-2003, 03:36 PM

not sure I 100% understand. Do you mean that Snort sets it to promiscuous, but the kernel (and IOCTL stuff) doesnt really realize this, so its really in promiscuous, but only snort knows this?

unSpawn · 02-13-2003, 04:01 PM

Yes. If you do "ifconfig <eth device> -promisc", syslog still will say "kernel: <eth device> Setting promiscuous mode", while actually setting setting it with "ifconfig <eth device> +promisc" will have a different line "kernel: device <eth device> entered promiscuous mode". If you run Snort w/o "-p" it should tell using the "device entered" line, but if you're running Snort with the "-p" option syslog still will say "kernel: <eth device> Setting promiscuous mode" even tho it isn't AFAIK.

Darin · 02-14-2003, 09:49 AM

Just offhand, what kind of network card is eth0? I know some 3Com cards have hardware that rejects packets that aren't either broadcasts or for the card's MAC. This is a design to speed up networking but makes it impossible to use promiscuous mode.

fenriswolf · 02-20-2003, 12:27 PM

I think its an HP card. Its an HP netserver, so whatever they use.