> Hello, All! > > I have installed snort-box (intrusion detection system) on debian. The box > has 3 interfaces. eth1 attached to LAN and used to control box, view logs > etc; it was been assigned with local IP address. > eth0 and eth2 interfaces used as sensors (they attached to two different > segments on demilitarized zone). They have not any ip-addresses > assigned (on > start up they initialized simple as "ifconfig eth0 up" and "ifconfig eth2 > up") > Sensor on eth0 works fine, but eth2 after some time lost promisc > mode (I see > in syslog message "device eth2 left promiscuous mode"). > In segment, to which eth2 attached, there is more heavy traffic, than in > segment, to which eth0 attached. When I exchange NIC (attach eth0 > to "heavy" > segment and eth2 to "light" segment), eth2 starts work fine and > eth0 starts > lost promisc mode. > Configuration. > Kernel 2.2.19pre17-compact #1 Mon Apr 2 01:35:19 PDT 2001 i586 unknown > libpcap0 0.6.2-1 > snort 1.7-9 > CPU: Pentium-166 > Mem: 2993 > Swap: 66492 > > Any ideas? Why NIC losts promisc mode? How can I fix it? (temporary > solution: I added to crontab restart snort every 30 minutes, but > this is not > good idea). > > With best regards, > Vladislav. >
Well I'm no expert, but Im thinking that snort is getting overloaded somehow. It is obviously not the NIC because both failed on that network segment. Maybe a computer on that segment is causeing the problems or some configuration on that part of the network is causeing the process to die. Though I would first investigate snort.
