1. Home
  2. pfSense® Software
  3. General pfSense Questions
  4. Is this behaviour normal?

Is this behaviour normal?

  • G

    When I checked my daily log report I noticed that every interface on em0/em1 did:

    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
    (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)
    followed by
    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled
    (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)

    Is this normal? The system wasn't rebooted--infact it had been up for over 60 days.

    I decided to reboot pfSense just in case there was something funny going on. Is there anything else I need to investigate? What causes this kind of thing to happen?

    0
  • KOM

    It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

    0
  • bmeeks

    As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

    0 G 1 Reply
  • G

    @bmeeks said in Is this behaviour normal?:

    As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

    @KOM said in Is this behaviour normal?:

    It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

    Thanks very much for the replies. I haven't had either Snort or Suricata installed recently as I found the setup to be more than I had time to deal with.

    Here are the packages I currently have installed:
    arping
    Backup
    Cron
    darkstat
    iftop
    iperf
    mailreport
    nmap
    notes
    nut
    openvpn-client-export
    pfBlockerNG
    RRD_Summary
    Softflowd
    Status_Traffic_Totals
    stunnel
    sudo
    syslog-ng

    Any thoughts?

    0
  • KOM

    Maybe nmap? You certainly are running ever package under the Sun 😀

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy