Promiscuous interface
Results 1 to 4 of 4

Thread: Promiscuous interface

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    12

    Promiscuous interface

    During a recent rkhunter scan I received a warning that I have a promiscuous interface on eth0. The only change to my system from the last rkhunter scan to the current one is I installed snort and set it up to run in NIDS mode. When I shut down snort and ran another scan the warning went away. What is a promiscuous interface? Do I have one because I configured snort improperly? How important is it to run IDS software on a home computer? Thank you in advance for any help.
    Every man has his price. Mine is $3.95.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Promiscuous Interface means that the Network cards listens for ALL traffic, not just traffic meant for itself. For SNORT to be effective as a Network (rather than a single host) IDS, it would need to see ALL traffic. So it's not a bad thing that the card is in promiscuous mode.

    As for running an IDS on a home computer it does have value, IMHO but that will vary from individual opinion to individual opinion. I personally believe that all systems have value and you should take the time to invest in multiple layers of security, even at home. Even simplistic firewalls like Sygate and ZoneAlarm have some form of IDS in them. I would suggest, however, putting it on a machine seperate from the one that you use, if feasible. A simple box, even an old Pentium running a *nix variant, would work. My old Snort box ran on a P100 with 64MB of Ram and a 4GB HD using FreeBSD (no GUI; remote SSH admin only). Worked great until I took the machine apart.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    or it could mean your interface has been sleeping with a lot of other interfaces..j/k

    nice answer MsMittens

    a simple, less technical way of thinking about is consider the mail scenario. A mailman normally comes and delivers letters to there respective addresses. When he delivers mail at your house he has a bag full of mail destined for other houses but does not give those to you only what is addressed to you. Now if your house was put into promiscuous mode it would be like the mail delivers your normal mail when he comes by but also delivers a copy of everything else he is carrying. So you get a copy of everyones mail.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #4
    Junior Member
    Join Date
    Apr 2004
    Posts
    12
    My interface is easy but it uses protection and hasn't caught anything yet. On a more serious note, thanks for the information. I am extremely new to computer/network security and the advice I receive at this site has always been top notch. And sometime in the future hopefully I will be contributing as well.
    Every man has his price. Mine is $3.95.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •