[Snort-users] configure options for 2.9.4

waldo kitty wkitty42 at ...14940...
Fri Feb 15 23:02:26 EST 2013

On 2/15/2013 12:59, John York wrote:
> Hi
> I'm building an IDS sensor for 2.9.4.  Can I save overhead by disabling the IPS portions?  I see that the default listed at the top of snort.conf is this:
> OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> I'm trying these changes, but they cause make to have errors:
> --disable-active-response
> --disable-normalizer
> --disable-react
> --disable-flexresp3.
> It looks like everything works if I remove --disable-flexresp3.  What should be the configure options for a non-blocking IDS install?

we don't "remove" anything... we compile snort with the defaults plus maybe 
adding a few... the difference between IDS and IPS is in how you run it... 
inline with active blocking of DROP rules is IPS... we simply use everything as 
is and leave the rules as ALERT rules which are then processed from the 
resulting logs and then blocks are triggered...

More information about the Snort-users mailing list