[Snort-users] Normalizations are not applied using divert sockets (SOLVED)

C. L. Martinez carlopmart at gmail.com
Sun Dec 31 03:16:07 EST 2017


On Sat, Dec 30, 2017 at 06:30:18PM +0100, C. L. Martinez wrote:
> Hi all,
> 
>  I have installed Snort under an OpenBSD vm to do some tests and I have configured divert sockets to use Snort as an IPS. I have configured the following under Snort:
> 
> config policy_mode: inline
> config daq: ipfw
> config daq_dir: /usr/local/lib/daq/
> config daq_mode: inline
> config daq_var: port=9000
> 
>  ... and I have adjusted my PF rules. But when snort starts up, the following warning appears:
> 
> Dec 30 17:23:07 highlands snort[29952]: WARNING: ip4 normalizations disabled because not inline.
> Dec 30 17:23:07 highlands snort[29952]: WARNING: tcp normalizations disabled because not inline.
> Dec 30 17:23:07 highlands snort[29952]: WARNING: icmp4 normalizations disabled because not inline.
> Dec 30 17:23:07 highlands snort[29952]: WARNING: ip6 normalizations disabled because not inline.
> Dec 30 17:23:07 highlands snort[29952]: WARNING: icmp6 normalizations disabled because not inline.
> 
>  Do I need to pass -Q to snort or is it a bug? Snort release is 2.9.9.0 (released as a port for OpenBSD 6.2)...
> 

It seems flag -Q is required to apply packet normalization.

Thanks

-- 
Greetings,
C. L. Martinez


More information about the Snort-users mailing list