[Snort-users] Snort dies

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01C67E60.E4E411B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi, I'm doing my first snort installation. I installed it without =
problems and configured it to log alerts via syslog. Everything seems =
OK, but after running for a while it dies, sending the following =
message to syslog:

May 23 10:49:39 localhost kernel: eth0.7: dev_set_promiscuity(master, =
-1)
May 23 10:49:39 localhost kernel: device eth0.7 left promiscuous mode

This seems to occur whenever the following traffic is detected

May 23 10:49:39 localhost snort[8729]: [119:15:1] (http_inspect) =
OVERSIZE REQUEST-URI DIRECTORY <eth0.7> {TCP} xxx.xxx.xxx.xxx:59635 -> =
xxx.xxx.xxx.xxx:80

This traffic originates in my internal network and goes to MSN services =
like Hotmail and WebMessenger.

I'm using Snort 2.4.4 with the current ruleset, running on a Red Hat =
Linux box with kernel version 2.4.20-8. I'm also using logsurfer to scan =
the syslog file and send alerts via mail. The NIC is an Intel PRO1000 GT =
with VLAN suport enabled in the kernel; it has 7 subinterfaces but I'm =
running snort in only one of them. The box is also running tcpdump in =
another subinterface.
------=_NextPart_000_0018_01C67E60.E4E411B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2769" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi, I'm doing my first snort =
installation. I=20
installed it without problems and configured it to log&nbsp;alerts via =
syslog.=20
&nbsp;Everything seems&nbsp;OK,&nbsp;but after running&nbsp; for a while =
it=20
dies, sending the following message to syslog:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>May 23 10:49:39 localhost kernel: =
eth0.7:=20
dev_set_promiscuity(master, -1)<BR>May 23 10:49:39 localhost kernel: =
device=20
eth0.7 left promiscuous mode<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>This seems to occur whenever the =
following traffic=20
is detected</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>May 23 10:49:39 localhost snort[8729]: =
[119:15:1]=20
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY &lt;eth0.7&gt; {TCP}=20
xxx.xxx.xxx.xxx:59635 -&gt; xxx.xxx.xxx.xxx:80</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>This traffic originates in my internal =
network and=20
goes to MSN services like Hotmail and WebMessenger.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I'm using Snort 2.4.4 with the current =
ruleset,=20
running on a Red Hat Linux box with kernel version 2.4.20-8. I'm also =
using=20
logsurfer to scan the syslog file and send alerts via mail. The NIC is =
an Intel=20
PRO1000 GT with VLAN suport enabled in the kernel; it has 7 =
subinterfaces but=20
I'm&nbsp;running snort in&nbsp;only one of them. The box is also running =
tcpdump=20
in another subinterface.</DIV></FONT></BODY></HTML>

------=_NextPart_000_0018_01C67E60.E4E411B0--




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users