From owner-freebsd-questions@FreeBSD.ORG  Wed Aug  6 05:36:28 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7586037B401
	for <freebsd-questions@FreeBSD.ORG>;
	Wed,  6 Aug 2003 05:36:28 -0700 (PDT)
Received: from web1.nexusinternetsolutions.net
	(web1.nexusinternetsolutions.net [206.47.131.12])
	by mx1.FreeBSD.org (Postfix) with SMTP id 839E543FB1
	for <freebsd-questions@FreeBSD.ORG>;
	Wed,  6 Aug 2003 05:36:27 -0700 (PDT)
	(envelope-from dave@hawk-systems.com)
Received: (qmail 87982 invoked from network); 6 Aug 2003 12:36:24 -0000
Received: from unknown (HELO ws1) (65.49.236.97)
  by web1.nexusinternetsolutions.net with SMTP; 6 Aug 2003 12:36:24 -0000
From: "Dave [Hawk-Systems]" <dave@hawk-systems.com>
To: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Date: Wed, 6 Aug 2003 08:36:23 -0400
Message-ID: <DBEIKNMKGOBGNDHAAKGNAEKJDCAC.dave@hawk-systems.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Subject: ran snort, now fxp1 stuck in promisc mode
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2003 12:36:28 -0000

was experimenting with snort to try and track down the source of some hack
attempts (which were futile but annoying).  Before settling on the various flags
that I indeed wanted to use, there were a number of failed snort starts, stops,
etc...  don't remember the specifics now as this was some time ago.

Have noticed that since then the fxp1 interface has been stuck in promisc mode.

	fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

Have tried manually to unset this using;
	# ifconfig -promisc fxp1
to no avail.

snort is no longer running, though when I do start it to track something, I have
since been running it with the -p flag to turn off promisc sniffing.  This
doesn't seem to affect the interface since it is already in promisc mode.

This box is regularly checked for root kits or other potential comprimises that
could have caused this, and we did notice it after the first few unsuccessful
attempts with snort in promisc mode so we are pretty sure of the source.

Aside from rebooting the box entirely (undesireable given it is a production
server) anyone have any ideas as to how to force fxp1 to let go of its promisc
fetish?

Appreciate any suggestions.

Dave