Skip site navigation (1)Skip section navigation (2) 
Date:      07 Aug 2003 13:58:10 -0400
From:      Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>
To:        "Dave [Hawk-Systems]" <dave@hawk-systems.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: ran snort, now fxp1 stuck in promisc mode
Message-ID:  <4465l98i4t.fsf@be-well.ilk.org>
In-Reply-To: <DBEIKNMKGOBGNDHAAKGNAEKJDCAC.dave@hawk-systems.com>
References:  <DBEIKNMKGOBGNDHAAKGNAEKJDCAC.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Dave [Hawk-Systems]" <dave@hawk-systems.com> writes:

> was experimenting with snort to try and track down the source of some hack
> attempts (which were futile but annoying).  Before settling on the various flags
> that I indeed wanted to use, there were a number of failed snort starts, stops,
> etc...  don't remember the specifics now as this was some time ago.
> 
> Have noticed that since then the fxp1 interface has been stuck in promisc mode.
> 
> 	fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> 
> Have tried manually to unset this using;
> 	# ifconfig -promisc fxp1
> to no avail.
> 
> snort is no longer running, though when I do start it to track something, I have
> since been running it with the -p flag to turn off promisc sniffing.  This
> doesn't seem to affect the interface since it is already in promisc mode.
> 
> This box is regularly checked for root kits or other potential comprimises that
> could have caused this, and we did notice it after the first few unsuccessful
> attempts with snort in promisc mode so we are pretty sure of the source.
> 
> Aside from rebooting the box entirely (undesireable given it is a production
> server) anyone have any ideas as to how to force fxp1 to let go of its promisc
> fetish?

Hmm.  I don't see how this can happen (on -STABLE, anyway), but it's
worth poking it a bit to see what happens.  You could take the
interface down and back up, and try to force the itnerface *into*
promiscuous mode and then back out again.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4465l98i4t.fsf>