[Snort-users] "Adapter is in Passive Mode" Warning

Y M snort at ...15979...
Fri Mar 8 03:33:11 EST 2013


You have to explicitly tell snort and DAQ to run in inline mode, either from the command line or the through the DAQ section in snort.conf file. Setting policy_mode:inline alone is not enough.

"reject" is an inline action; it did not work because it requires that snort/DAQ to be running in inline mode and will not trigger in passive mode; hence "alert" would work as expected in passive mode.

YM
________________________________
From: Ricky Huang<mailto:rhuang.work at ...11827...>
Sent: ‎3/‎8/‎2013 11:17 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] "Adapter is in Passive Mode" Warning

Anyone… help?

On Mar 6, 2013, at 3:01 PM, Ricky Huang <rhuang.work at ...11827...> wrote:

> Hi all,
>
> I was playing Snort rules and noticed the following doesn't work:
>> reject ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)
>
> While
>> alert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)
> works fine.
>
> So I ran snort with -T flag and noticed:
>> WARNING: /usr/local/etc/snort/snort.conf(641) Adapter is in Passive Mode. Hence switching policy mode to tap.
>
>
> Line 641 of snort.conf is where I tried to set policy to "inline" ("config policy_mode:inline").
>
>
> Is there supposed to be a build flag to enable IPS capability on Snort? I looked at my FreeBSD ports option:
>
>> # make showconfig
>> ===> The following configuration options are available for snort-2.9.4_1:
>>      BARNYARD=on: Depend on Barnyard2
>>      DBGSNORT=off: Enable debugging symbols+core dumps
>>      FLEXRESP3=on: Enable flexible response on events (v3)
>>      GRE=on: Enable GRE support
>>      IPV6=on: IPv6 protocol
>>      LRGPCAP=off: Enable pcaps larger than 2GB
>>      MPLS=on: MPLS support
>>      NORMALIZER=on: Enable normalizer
>>      PERFPROFILE=on: Enable performance profiling
>>      PULLEDPORK=on: Depend on pulledpork
>>      REACT=on: Enable react
>>      SNORTSAM=off: Enable unofficial Snortsam patch
>>      SOURCEFIRE=on: Enable Sourcefire-specific build options
>>      TARGETBASED=on: Enable targetbased support
>>      ZLIB=on: Enable GZIP support
>
> and couldn't seem to find any…
>
>
> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/59df0663/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list