[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: NIC losts promisc. mode

> Hello, All!
> I have installed snort-box (intrusion detection system) on debian. The box
> has 3 interfaces. eth1 attached to LAN and used to control box, view logs
> etc; it was been assigned with local IP address.
> eth0 and eth2 interfaces used as sensors (they attached to two different
> segments on demilitarized zone). They have not any ip-addresses
> assigned (on
> start up they initialized simple as "ifconfig eth0 up" and "ifconfig eth2
> up")
> Sensor on eth0 works fine, but eth2 after some time lost promisc
> mode (I see
> in syslog message "device eth2 left promiscuous mode").
> In segment, to which eth2 attached, there is more heavy traffic, than in
> segment, to which eth0 attached. When I exchange NIC (attach eth0
> to "heavy"
> segment and eth2 to "light" segment), eth2 starts work fine and
> eth0 starts
> lost promisc mode.
> Configuration.
> Kernel 2.2.19pre17-compact #1 Mon Apr 2 01:35:19 PDT 2001 i586 unknown
> libpcap0       0.6.2-1
> snort          1.7-9
> CPU: Pentium-166
> Mem:         2993
> Swap:        66492
> Any ideas? Why NIC losts promisc mode? How can I fix it? (temporary
> solution: I added to crontab restart snort every 30 minutes, but
> this is not
> good idea).
> With best regards,
>                              Vladislav.

Well I'm no expert, but Im thinking that snort is getting overloaded
somehow.  It is obviously not the NIC because both failed on that network
segment.  Maybe a computer on that segment is causeing the problems or some
configuration on that part of the network is causeing the process to die.
Though I would first investigate snort.

Reply to: