Snort mailing list archives
Re: WARNING: normalizations disabled because DAQ can't replace packets.
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 13 Dec 2012 08:00:20 -0500
On Thu, Dec 13, 2012 at 4:12 AM, Yayan Tri Taryana < yayantritaryana () gmail com> wrote:
Hi, I have and IDS Server using snort, previously my server is work normal, but now i realize that my snort is not log the alert. when i tail -f /var/log/message theres an error say "WARNING: normalizations disabled because DAQ can't replace packets."
That is because you are running in passive mode. I'm guessing you weren't previously running inline because you are using the pcap DAQ so you can safely ignore this or comment out preprocessor normalize_* from your conf. You will need to post more specific information about the alert you are not seeing.
is anyone encountered this and how to fix it .. this is my log : [ Number of patterns truncated to 20 bytes: 3926 ] Dec 13 15:12:39 GURUH0 snort[3149]: pcap DAQ configured to passive. Dec 13 15:12:39 GURUH0 snort[3149]: Acquiring network traffic from "eth3". Dec 13 15:12:39 GURUH0 snort[3149]: Initializing daemon mode Dec 13 15:12:39 GURUH0 snort[3150]: Daemon initialized, signaled parent pid: 3149 Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread starting... Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread started, thread 0x426f8940 (3150) Dec 13 15:12:39 GURUH0 kernel: device eth3 entered promiscuous mode Dec 13 15:12:39 GURUH0 kernel: type=1700 audit(1355386359.639:8): dev=eth3 prom=256 old_prom=0 auid=4294967295 ses=4294967295 Dec 13 15:12:39 GURUH0 snort[3150]: Decoding Ethernet Dec 13 15:12:39 GURUH0 snort[3150]: Checking PID path... Dec 13 15:12:39 GURUH0 snort[3150]: PID path stat checked out ok, PID path set to /var/run/ Dec 13 15:12:39 GURUH0 snort[3150]: Writing PID "3150" to file "/var/run//snort_eth3.pid" Dec 13 15:12:39 GURUH0 snort[3150]: Set gid to 500 Dec 13 15:12:39 GURUH0 snort[3150]: Set uid to 500 Dec 13 15:12:39 GURUH0 snort[3150]: WARNING: normalizations disabled because DAQ can't replace packets. Dec 13 15:12:39 GURUH0 snort[3150]: Dec 13 15:12:39 GURUH0 snort[3150]: --== Initialization Complete ==-- Dec 13 15:12:39 GURUH0 snort[3150]: Commencing packet processing (pid=3150) Txs ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- WARNING: normalizations disabled because DAQ can't replace packets. Yayan Tri Taryana (Dec 13)
- Re: WARNING: normalizations disabled because DAQ can't replace packets. Russ Combs (Dec 13)