Is this behaviour normal?
-
When I checked my daily log report I noticed that every interface on em0/em1 did:
May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
(Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)
followed by
May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled
(Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)Is this normal? The system wasn't rebooted--infact it had been up for over 60 days.
I decided to reboot pfSense just in case there was something funny going on. Is there anything else I need to investigate? What causes this kind of thing to happen?
-
It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.
-
As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything
traversinghitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface. -
@bmeeks said in Is this behaviour normal?:
As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything
traversinghitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.@KOM said in Is this behaviour normal?:
It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.
Thanks very much for the replies. I haven't had either Snort or Suricata installed recently as I found the setup to be more than I had time to deal with.
Here are the packages I currently have installed:
arping
Backup
Cron
darkstat
iftop
iperf
mailreport
nmap
notes
nut
openvpn-client-export
pfBlockerNG
RRD_Summary
Softflowd
Status_Traffic_Totals
stunnel
sudo
syslog-ngAny thoughts?
-
Maybe nmap? You certainly are running ever package under the Sun