"Dave [Hawk-Systems]" <[EMAIL PROTECTED]> writes: > was experimenting with snort to try and track down the source of some hack > attempts (which were futile but annoying). Before settling on the various flags > that I indeed wanted to use, there were a number of failed snort starts, stops, > etc... don't remember the specifics now as this was some time ago. > > Have noticed that since then the fxp1 interface has been stuck in promisc mode. > > fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > > Have tried manually to unset this using; > # ifconfig -promisc fxp1 > to no avail. > > snort is no longer running, though when I do start it to track something, I have > since been running it with the -p flag to turn off promisc sniffing. This > doesn't seem to affect the interface since it is already in promisc mode. > > This box is regularly checked for root kits or other potential comprimises that > could have caused this, and we did notice it after the first few unsuccessful > attempts with snort in promisc mode so we are pretty sure of the source. > > Aside from rebooting the box entirely (undesireable given it is a production > server) anyone have any ideas as to how to force fxp1 to let go of its promisc > fetish?
Hmm. I don't see how this can happen (on -STABLE, anyway), but it's worth poking it a bit to see what happens. You could take the interface down and back up, and try to force the itnerface *into* promiscuous mode and then back out again. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"