Re: WARNING: normalizations disabled because DAQ can't replace packets.

[Russ Combs <rcombs () sourcefire com>]

On Thu, Dec 13, 2012 at 4:12 AM, Yayan Tri Taryana <
yayantritaryana () gmail com> wrote:

> Hi,
>
> I have and IDS Server using snort, previously my server is work normal,
> but now i realize that my snort is not log the alert.
>
> when i tail -f /var/log/message
>
> theres an error say "WARNING: normalizations disabled because DAQ can't
> replace packets."

That is because you are running in passive mode.  I'm guessing you weren't
previously running inline because you are using the pcap DAQ so you can
safely ignore this or comment out preprocessor normalize_* from your conf.

You will need to post more specific information about the alert you are not
seeing.

> is anyone encountered this and how to fix it ..
>
> this is my log
>
> : [ Number of patterns truncated to 20 bytes: 3926 ]
> Dec 13 15:12:39 GURUH0 snort[3149]: pcap DAQ configured to passive.
> Dec 13 15:12:39 GURUH0 snort[3149]: Acquiring network traffic from "eth3".
> Dec 13 15:12:39 GURUH0 snort[3149]: Initializing daemon mode
> Dec 13 15:12:39 GURUH0 snort[3150]: Daemon initialized, signaled parent
> pid: 3149
> Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread starting...
> Dec 13 15:12:39 GURUH0 snort[3150]: Reload thread started, thread
> 0x426f8940 (3150)
> Dec 13 15:12:39 GURUH0 kernel: device eth3 entered promiscuous mode
> Dec 13 15:12:39 GURUH0 kernel: type=1700 audit(1355386359.639:8): dev=eth3
> prom=256 old_prom=0 auid=4294967295 ses=4294967295
> Dec 13 15:12:39 GURUH0 snort[3150]: Decoding Ethernet
> Dec 13 15:12:39 GURUH0 snort[3150]: Checking PID path...
> Dec 13 15:12:39 GURUH0 snort[3150]: PID path stat checked out ok, PID path
> set to /var/run/
> Dec 13 15:12:39 GURUH0 snort[3150]: Writing PID "3150" to file
> "/var/run//snort_eth3.pid"
> Dec 13 15:12:39 GURUH0 snort[3150]: Set gid to 500
> Dec 13 15:12:39 GURUH0 snort[3150]: Set uid to 500
> Dec 13 15:12:39 GURUH0 snort[3150]: WARNING: normalizations disabled
> because DAQ can't replace packets.
> Dec 13 15:12:39 GURUH0 snort[3150]:
> Dec 13 15:12:39 GURUH0 snort[3150]:         --== Initialization Complete
> ==--
> Dec 13 15:12:39 GURUH0 snort[3150]: Commencing packet processing
> (pid=3150)
>
>
> Txs
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!