robeb |
02-20-2003 02:40 PM |
Turn off Promiscuous Bit
I am running a Red Hat 7.2 router/firewall box w/ Snort 1.9.0 and trying to reduce the number of portscan logs from hosts not on my network
i.e.
SCAN SOCKS Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 24.104.42.153:25788 -> 10.0.0.75:1080
I think turning promiscuous mode off on eth0 would help reduce the number these portscan logs. Normally, I thought "ifconfig eth0 -promisc" would turn it off since the PROMISC flag is not set when I do "ifconfig -a eth0" after. However, upon the advice of a helpful soul "ip link show eth0" shows that the interface is still in promiscuous mode. Apparently, snort turns it back on when it starts. Using -p w/ snort on the command line doesn't seem to help, either? I think it would help to manually turn off the promiscuous bit...but I don't know how?
|