Date: Wed, 6 Aug 2003 08:36:23 -0400 From: "Dave [Hawk-Systems]" <dave@hawk-systems.com> To: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: ran snort, now fxp1 stuck in promisc mode Message-ID: <DBEIKNMKGOBGNDHAAKGNAEKJDCAC.dave@hawk-systems.com>
next in thread | raw e-mail | index | archive | help
was experimenting with snort to try and track down the source of some hack attempts (which were futile but annoying). Before settling on the various flags that I indeed wanted to use, there were a number of failed snort starts, stops, etc... don't remember the specifics now as this was some time ago. Have noticed that since then the fxp1 interface has been stuck in promisc mode. fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 Have tried manually to unset this using; # ifconfig -promisc fxp1 to no avail. snort is no longer running, though when I do start it to track something, I have since been running it with the -p flag to turn off promisc sniffing. This doesn't seem to affect the interface since it is already in promisc mode. This box is regularly checked for root kits or other potential comprimises that could have caused this, and we did notice it after the first few unsuccessful attempts with snort in promisc mode so we are pretty sure of the source. Aside from rebooting the box entirely (undesireable given it is a production server) anyone have any ideas as to how to force fxp1 to let go of its promisc fetish? Appreciate any suggestions. Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNAEKJDCAC.dave>