kernel mvneta0: promiscuous mode enabled

JonathanLee

Hello fellow Netgate community members is this normal? The wording of this I have to admit does cause me some concern. I am running NFS so I can not run a fsck. The software was just reinstalled. It looks to be snort related.

Apr 19 00:16:42 kernel mvneta0: promiscuous mode enabled

Apr 19 06:15:14 php 35782 [Snort] Snort AppID Open Text Rules are up to date...
Apr 19 06:15:14 php 35782 [Snort] Snort OpenAppID detectors are up to date...
Apr 19 06:15:14 php 35782 [Snort] Snort Subscriber rules are up to date...
Apr 19 04:17:00 sshguard 78622 Now monitoring attacks.
Apr 19 04:17:00 sshguard 4730 Exiting on signal.
Apr 19 03:01:01 root 58241 rc.update_bogons.sh is sleeping for 21557
Apr 19 03:01:01 root 55843 rc.update_bogons.sh is starting up.
Apr 19 00:27:00 sshguard 4730 Now monitoring attacks.
Apr 19 00:27:00 sshguard 73811 Exiting on signal.
Apr 19 00:16:42 php 69923 [Snort] The Rules update has finished.
Apr 19 00:16:42 php 69923 [Snort] Snort has restarted on WAN with your new set of rules...
Apr 19 00:16:42 kernel mvneta0: promiscuous mode enabled
Apr 19 00:15:32 snort 78906 AppInfo: AppId 2314 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 2314, for 0x4304cce0 0x483e35c0
Apr 19 00:15:32 snort 78906 AppInfo: AppId 2312 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 2312, for 0x4304cce0 0x483e35c0
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5349 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5349, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5348 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5348, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5347 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5347, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5346 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5346, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5345 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5345, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5344 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5344, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5343 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5343, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5342 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5342, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5341 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5341, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5340 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5340, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5339 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5339, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5338 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5338, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5337 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5337, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 5336 is UNKNOWN
Apr 19 00:15:32 snort 78906 Invalid direct service AppId, 5336, for 0x4304cce0 0x48c68540
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4082 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4519 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4140 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4082 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4519 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4140 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4140 is UNKNOWN
Apr 19 00:15:32 snort 78906 Could not initialize the content_group_process_client_352 client app element: [string ""]:528: attempt to call method 'addProcessToClientMapping' (a nil value)
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4314 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4295 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 3646 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 3646 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppInfo: AppId 4295 is UNKNOWN
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:32 snort 78906 AppId
Apr 19 00:15:29 snort 78906 AppId
Apr 19 00:15:29 snort 78906 AppId
Apr 19 00:15:29 snort 78906 AppId
Apr 19 00:15:29 snort 78906 AppId
Apr 19 00:15:29 snort 78906 AppId
Apr 19 00:15:29 php 69923 [Snort] Snort START for WAN(mvneta0)...
Apr 19 00:15:28 kernel mvneta0: promiscuous mode disabled
Apr 19 00:15:28 snort 80409 *** Caught Term-Signal
Apr 19 00:15:27 php 69923 [Snort] Snort STOP for WAN(mvneta0)...
Apr 19 00:15:24 php 69923 [Snort] Building new sid-msg.map file for WAN...
Apr 19 00:15:23 php 69923 [Snort] Enabling any flowbit-required rules for: WAN...
Apr 19 00:15:21 php 69923 [Snort] Enabling any flowbit-required rules for: WAN...
Apr 19 00:15:13 php 69923 [Snort] Updating rules configuration for: WAN ...
Apr 19 00:15:13 php 69923 [Snort] Removed 0 obsoleted rules category files.
Apr 19 00:15:13 php 69923 [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Apr 19 00:15:13 php 69923 [Snort] Feodo Tracker Botnet C2 IP rules were updated...
Apr 19 00:15:13 php 69923 [Snort] Feodo Tracker Botnet C2 IP rules file update downloaded successfully.
Apr 19 00:15:12 php 69923 [Snort] Emerging Threats Open rules are up to date...
Apr 19 00:15:12 php 69923 [Snort] Snort GPLv2 Community Rules are up to date...
Apr 19 00:15:12 php 69923 [Snort] Snort AppID Open Text Rules are up to date...
Apr 19 00:15:11 php 69923 [Snort] Snort OpenAppID detectors are up to date...
Apr 19 00:15:11 php 69923 [Snort] Snort Subscriber rules are up to date...
Apr 18 21:50:53 php-fpm 400 /index.php: User logged out for user 'admin' from: 192.168.1.5 (Local Database)
Apr 18 21:43:44 php-fpm 634 /interfaces_assign.php: Creating rrd update script
Apr 18 21:43:44 check_reload_status 448 Syncing firewall
Apr 18 21:43:44 php-fpm 634 /interfaces_assign.php: Configuration Change: admin@192.168.1.5 (Local Database): Interfaces assignment settings changed
Apr 18 21:42:05 sshguard 73811 Now monitoring attacks.
Apr 18 21:42:05 php-fpm 400 /diag_command.php: Successful login for user 'admin' from: 192.168.1.5 (Local Database)
Apr 18 21:35:17 kernel mvneta0: promiscuous mode enabled
Apr 18 21:34:23 upsd 52891 User local-monitor@127.0.0.1 logged into UPS [CyberPower]
Apr 18 21:34:21 upsd 52891 Startup successful

stephenw10

Yes, it's normal. Snort puts the interface in promiscuous mode so it can see all traffic on the link.

On my local 3100 for example:

Apr 15 00:40:33 	php 	53242 	[Snort] The Rules update has finished.
Apr 15 00:40:33 	kernel 		mvneta0: promiscuous mode enabled
Apr 15 00:40:33 	php 	53242 	[Snort] Snort has restarted on LAN with your new set of rules...
Apr 15 00:38:54 	php 	53242 	[Snort] Snort START for LAN(mvneta0)...
Apr 15 00:38:53 	kernel 		mvneta0: promiscuous mode disabled
Apr 15 00:38:53 	snort 	6827 	*** Caught Term-Signal
Apr 15 00:38:52 	php 	53242 	[Snort] Snort STOP for LAN(mvneta0)... 

Steve

JonathanLee

@stephenw10

Thanks for the reply.

It also seemed to resolve it self for that APP ID issue.

Do you use ZFS or UFS? I just started using ZFS after a full firmware reimage. I still feel like I need to do a file system check every once and awhile however you can't with ZFS.

stephenw10

Not there because it's a 3100 that can't run ZFS. But I run ZFS on numerous other things.
I don't run fsck, beyond what runs at every boot, on anything unless it's needed. Which is almost never.

Steve

NOCling

My SG-2100 doesn't run Snort or Suricata but it shows it to.
On every boot:
pflog0: promiscuous mode enabled

stephenw10

That's internal pf logging interface though not a real NIC.

JonathanLee

@stephenw10 my 2100 Max SG gave me the option to run ZFS or UFS only when I preformed a full reimage last week with support provided firmware. Prior it only ran UFS and would run checks every boot up.

stephenw10

Yes, the 2100 is arm64 and from 22.01 can run ZFS.
The 3100 is 32bit and cannot.