ran snort, now fxp1 stuck in promisc mode
dave at hawk-systems.com
Wed Aug 6 05:36:28 PDT 2003
was experimenting with snort to try and track down the source of some hack
attempts (which were futile but annoying). Before settling on the various flags
that I indeed wanted to use, there were a number of failed snort starts, stops,
etc... don't remember the specifics now as this was some time ago.
Have noticed that since then the fxp1 interface has been stuck in promisc mode.
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
Have tried manually to unset this using;
# ifconfig -promisc fxp1
to no avail.
snort is no longer running, though when I do start it to track something, I have
since been running it with the -p flag to turn off promisc sniffing. This
doesn't seem to affect the interface since it is already in promisc mode.
This box is regularly checked for root kits or other potential comprimises that
could have caused this, and we did notice it after the first few unsuccessful
attempts with snort in promisc mode so we are pretty sure of the source.
Aside from rebooting the box entirely (undesireable given it is a production
server) anyone have any ideas as to how to force fxp1 to let go of its promisc
Appreciate any suggestions.
More information about the freebsd-questions