Hello, All!
I have installed snort-box (intrusion detection system) on debian. The box
has 3 interfaces. eth1 attached to LAN and used to control box, view logs
etc; it was been assigned with local IP address.
eth0 and eth2 interfaces used as sensors (they attached to two different
segments on demilitarized zone). They have not any ip-addresses assigned (on
start up they initialized simple as "ifconfig eth0 up" and "ifconfig eth2
up")
Sensor on eth0 works fine, but eth2 after some time lost promisc mode (I see
in syslog message "device eth2 left promiscuous mode").
In segment, to which eth2 attached, there is more heavy traffic, than in
segment, to which eth0 attached. When I exchange NIC (attach eth0 to "heavy"
segment and eth2 to "light" segment), eth2 starts work fine and eth0 starts
lost promisc mode.
Configuration.
Kernel 2.2.19pre17-compact #1 Mon Apr 2 01:35:19 PDT 2001 i586 unknown
libpcap0 0.6.2-1
snort 1.7-9
CPU: Pentium-166
Mem: 2993
Swap: 66492
Any ideas? Why NIC losts promisc mode? How can I fix it? (temporary
solution: I added to crontab restart snort every 30 minutes, but this is not
good idea).
With best regards,
Vladislav.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
