[Snort-users] "Adapter is in Passive Mode" Warning

Ricky Huang rhuang.work at ...11827...
Wed Mar 6 18:01:59 EST 2013


Hi all,

I was playing Snort rules and noticed the following doesn't work:
> reject ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)

While 
> alert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)
works fine.

So I ran snort with -T flag and noticed:
> WARNING: /usr/local/etc/snort/snort.conf(641) Adapter is in Passive Mode. Hence switching policy mode to tap.


Line 641 of snort.conf is where I tried to set policy to "inline" ("config policy_mode:inline").


Is there supposed to be a build flag to enable IPS capability on Snort? I looked at my FreeBSD ports option:

> # make showconfig
> ===> The following configuration options are available for snort-2.9.4_1:
>      BARNYARD=on: Depend on Barnyard2
>      DBGSNORT=off: Enable debugging symbols+core dumps
>      FLEXRESP3=on: Enable flexible response on events (v3)
>      GRE=on: Enable GRE support
>      IPV6=on: IPv6 protocol
>      LRGPCAP=off: Enable pcaps larger than 2GB
>      MPLS=on: MPLS support
>      NORMALIZER=on: Enable normalizer
>      PERFPROFILE=on: Enable performance profiling
>      PULLEDPORK=on: Depend on pulledpork
>      REACT=on: Enable react
>      SNORTSAM=off: Enable unofficial Snortsam patch
>      SOURCEFIRE=on: Enable Sourcefire-specific build options
>      TARGETBASED=on: Enable targetbased support
>      ZLIB=on: Enable GZIP support

and couldn't seem to find any…


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130306/91370099/attachment.html>


More information about the Snort-users mailing list