From owner-freebsd-questions@FreeBSD.ORG Thu Aug 7 10:58:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1F1137B401 for ; Thu, 7 Aug 2003 10:58:13 -0700 (PDT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA2CD43FBF for ; Thu, 7 Aug 2003 10:58:12 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (sccrmhc13) with ESMTP id <2003080717581101600gmt0ae>; Thu, 7 Aug 2003 17:58:11 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h77HwBKS024427; Thu, 7 Aug 2003 13:58:11 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h77HwArZ024424; Thu, 7 Aug 2003 13:58:10 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: "Dave [Hawk-Systems]" References: From: Lowell Gilbert Date: 07 Aug 2003 13:58:10 -0400 In-Reply-To: Message-ID: <4465l98i4t.fsf@be-well.ilk.org> Lines: 31 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: FreeBSD Questions Subject: Re: ran snort, now fxp1 stuck in promisc mode X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FreeBSD Questions List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 17:58:13 -0000 "Dave [Hawk-Systems]" writes: > was experimenting with snort to try and track down the source of some hack > attempts (which were futile but annoying). Before settling on the various flags > that I indeed wanted to use, there were a number of failed snort starts, stops, > etc... don't remember the specifics now as this was some time ago. > > Have noticed that since then the fxp1 interface has been stuck in promisc mode. > > fxp1: flags=8943 mtu 1500 > > Have tried manually to unset this using; > # ifconfig -promisc fxp1 > to no avail. > > snort is no longer running, though when I do start it to track something, I have > since been running it with the -p flag to turn off promisc sniffing. This > doesn't seem to affect the interface since it is already in promisc mode. > > This box is regularly checked for root kits or other potential comprimises that > could have caused this, and we did notice it after the first few unsuccessful > attempts with snort in promisc mode so we are pretty sure of the source. > > Aside from rebooting the box entirely (undesireable given it is a production > server) anyone have any ideas as to how to force fxp1 to let go of its promisc > fetish? Hmm. I don't see how this can happen (on -STABLE, anyway), but it's worth poking it a bit to see what happens. You could take the interface down and back up, and try to force the itnerface *into* promiscuous mode and then back out again.