[Snort-users] "Adapter is in Passive Mode" Warning

Russ Combs rcombs at ...1935...
Fri Mar 8 11:00:12 EST 2013


On Fri, Mar 8, 2013 at 3:33 AM, Y M <snort at ...15979...> wrote:

>  You have to explicitly tell snort and DAQ to run in inline mode, either
> from the command line or the through the DAQ section in snort.conf file.
> Setting policy_mode:inline alone is not enough.
>
> "reject" is an inline action; it did not work because it requires that
> snort/DAQ to be running in inline mode and will not trigger in passive
> mode; hence "alert" would work as expected in passive mode.
>

reject rules can work in passive mode too.  Check Snort's README.active for
details.

>
> YM
>  ------------------------------
> From: Ricky Huang <rhuang.work at ...11827...>
> Sent: 3/8/2013 11:17 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] "Adapter is in Passive Mode" Warning
>
>  Anyone… help?
>
>  On Mar 6, 2013, at 3:01 PM, Ricky Huang <rhuang.work at ...11827...> wrote:
>
>  Hi all,
>
>  I was playing Snort rules and noticed the following doesn't work:
>
> reject ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works
> now"; sid:100000;)
>
>
>  While
>
> alert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works
> now"; sid:100000;)
>
> works fine.
>
>  So I ran snort with -T flag and noticed:
>
> WARNING: /usr/local/etc/snort/snort.conf(641) Adapter is in Passive Mode.
> Hence switching policy mode to tap.
>
>
>  Line 641 of snort.conf is where I tried to set policy to "inline"
> ("config policy_mode:inline").
>
>
>  Is there supposed to be a build flag to enable IPS capability on Snort?
> I looked at my FreeBSD ports option:
>
>    # make showconfig
> ===> The following configuration options are available for snort-2.9.4_1:
>      BARNYARD=on: Depend on Barnyard2
>      DBGSNORT=off: Enable debugging symbols+core dumps
>      FLEXRESP3=on: Enable flexible response on events (v3)
>      GRE=on: Enable GRE support
>      IPV6=on: IPv6 protocol
>      LRGPCAP=off: Enable pcaps larger than 2GB
>      MPLS=on: MPLS support
>      NORMALIZER=on: Enable normalizer
>      PERFPROFILE=on: Enable performance profiling
>      PULLEDPORK=on: Depend on pulledpork
>      REACT=on: Enable react
>      SNORTSAM=off: Enable unofficial Snortsam patch
>      SOURCEFIRE=on: Enable Sourcefire-specific build options
>      TARGETBASED=on: Enable targetbased support
>      ZLIB=on: Enable GZIP support
>
>
>  and couldn't seem to find any…
>
>
>  Thanks!
>
>
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/87e86db0/attachment.html>


More information about the Snort-users mailing list