Cycling iface after service loads?

I'm working with snort3, and due to the ruleset I use, it takes a minute or two at boot to finish. During this time, no requests are processed. After the iface enters promisc-mode, I need to down link the LAN ports and bring them back up.

Dropping a sleep in rc.local delays the start of snort, as well, so I can't even brute it by putting a hard-coded delay in. The service status is "running" even while it still is loading. The only indication I know is the [ 152.103615] device eth0 entered promiscuous mode that indicates the service has started.

Any suggestions on how I might be able to do this?

No one has ideas? I don't think this is a "correct answer" type of question, so as long as it works, I'm not concerned with the method :smile:

Here are some elements that could help. You could create a simple daemon or use a cron task to monitor for promiscuous mode changes and bump the interfaces when it gets turned on (from off to on).

To get that information from eth0, you can use some of the following commands:

root@hostname:/# ip -d link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 02:81:86:46:b1:94 brd ff:ff:ff:ff:ff:ff promiscuity 0 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso 
root@hostname:/# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 02:81:86:46:B1:94  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14871 errors:0 dropped:3004 overruns:0 frame:0
          TX packets:6858 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6057387 (5.7 MiB)  TX bytes:1829891 (1.7 MiB)
          Interrupt:37 
root@hostname:/# ifconfig eth0 promisc
[ 6077.881309] device eth0 entered promiscuous mode
root@hostname:/# ip -d link show eth0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 02:81:86:46:b1:94 brd ff:ff:ff:ff:ff:ff promiscuity 1 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso 
root@hostname:/# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 02:81:86:46:B1:94  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:14937 errors:0 dropped:3020 overruns:0 frame:0
          TX packets:6891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6066163 (5.7 MiB)  TX bytes:1841765 (1.7 MiB)
          Interrupt:37 

The first command shows promiscuous mode as 0 (off) and you could awk that value out of the result.
The ifconfig command shows promiscuous mode by having PROMISC in the second line (which you can grep out)
I then showed the difference by turning promiscuous mode on and running them again.

1 Like

Thank you! I will give that a try.