[Snort-users] Normalizations are not applied using divert sockets

C. L. Martinez carlopmart at gmail.com
Sat Dec 30 12:30:18 EST 2017


Hi all,

 I have installed Snort under an OpenBSD vm to do some tests and I have configured divert sockets to use Snort as an IPS. I have configured the following under Snort:

config policy_mode: inline
config daq: ipfw
config daq_dir: /usr/local/lib/daq/
config daq_mode: inline
config daq_var: port=9000

 ... and I have adjusted my PF rules. But when snort starts up, the following warning appears:

Dec 30 17:23:07 highlands snort[29952]: WARNING: ip4 normalizations disabled because not inline.
Dec 30 17:23:07 highlands snort[29952]: WARNING: tcp normalizations disabled because not inline.
Dec 30 17:23:07 highlands snort[29952]: WARNING: icmp4 normalizations disabled because not inline.
Dec 30 17:23:07 highlands snort[29952]: WARNING: ip6 normalizations disabled because not inline.
Dec 30 17:23:07 highlands snort[29952]: WARNING: icmp6 normalizations disabled because not inline.

 Do I need to pass -Q to snort or is it a bug? Snort release is 2.9.9.0 (released as a port for OpenBSD 6.2)...

Thanks
-- 
Greetings,
C. L. Martinez


More information about the Snort-users mailing list