[Snort-users] WARNING: normalizations disabled because DAQ can't replace packets.

Russ Combs rcombs at ...1935...
Thu Dec 13 08:00:20 EST 2012


On Thu, Dec 13, 2012 at 4:12 AM, Yayan Tri Taryana <
yayantritaryana at ...11827...> wrote:

> Hi,
>
> I have and IDS Server using snort, previously my server is work normal,
> but now i realize that my snort is not log the alert.
>
> when i tail -f /var/log/message
>
> theres an error say "WARNING: normalizations disabled because DAQ can't
> replace packets."
>

That is because you are running in passive mode.  I'm guessing you weren't
previously running inline because you are using the pcap DAQ so you can
safely ignore this or comment out preprocessor normalize_* from your conf.

You will need to post more specific information about the alert you are not
seeing.

>
> is anyone encountered this and how to fix it ..
>
> this is my log
>
> : [ Number of patterns truncated to 20 bytes: 3926 ]
> Dec 13 15:12:39 GURUH0 snort[3149]: pcap DAQ configured to passive.
> Dec 13 15:12:39 GURUH0 snort[3149]: Acquiring network traffic from "eth3".
> Dec 13 15:12:39 GURUH0 snort[3149]: Initializing daemon mode
> Dec 13 15:12:39 GURUH0 snort[3150]: Daemon initialized, signaled parent
> pid: 3149
> Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread starting...
> Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread started, thread
> 0x426f8940 (3150)
> Dec 13 15:12:39 GURUH0 kernel: device eth3 entered promiscuous mode
> Dec 13 15:12:39 GURUH0 kernel: type=1700 audit(1355386359.639:8): dev=eth3
> prom=256 old_prom=0 auid=4294967295 ses=4294967295
> Dec 13 15:12:39 GURUH0 snort[3150]: Decoding Ethernet
> Dec 13 15:12:39 GURUH0 snort[3150]: Checking PID path...
> Dec 13 15:12:39 GURUH0 snort[3150]: PID path stat checked out ok, PID path
> set to /var/run/
> Dec 13 15:12:39 GURUH0 snort[3150]: Writing PID "3150" to file
> "/var/run//snort_eth3.pid"
> Dec 13 15:12:39 GURUH0 snort[3150]: Set gid to 500
> Dec 13 15:12:39 GURUH0 snort[3150]: Set uid to 500
> Dec 13 15:12:39 GURUH0 snort[3150]: WARNING: normalizations disabled
> because DAQ can't replace packets.
> Dec 13 15:12:39 GURUH0 snort[3150]:
> Dec 13 15:12:39 GURUH0 snort[3150]:         --== Initialization Complete
> ==--
> Dec 13 15:12:39 GURUH0 snort[3150]: Commencing packet processing
> (pid=3150)
>
>
> Txs
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121213/768f2e51/attachment.html>


More information about the Snort-users mailing list