Snort mailing list archives
Re: "Adapter is in Passive Mode" Warning
From: Y M <snort () outlook com>
Date: Fri, 8 Mar 2013 11:33:11 +0300
You have to explicitly tell snort and DAQ to run in inline mode, either from the command line or the through the DAQ section in snort.conf file. Setting policy_mode:inline alone is not enough. "reject" is an inline action; it did not work because it requires that snort/DAQ to be running in inline mode and will not trigger in passive mode; hence "alert" would work as expected in passive mode. YM ________________________________ From: Ricky Huang<mailto:rhuang.work () gmail com> Sent: 3/8/2013 11:17 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] "Adapter is in Passive Mode" Warning Anyone… help? On Mar 6, 2013, at 3:01 PM, Ricky Huang <rhuang.work () gmail com> wrote:
Hi all, I was playing Snort rules and noticed the following doesn't work:reject ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)Whilealert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works now"; sid:100000;)works fine. So I ran snort with -T flag and noticed:WARNING: /usr/local/etc/snort/snort.conf(641) Adapter is in Passive Mode. Hence switching policy mode to tap.Line 641 of snort.conf is where I tried to set policy to "inline" ("config policy_mode:inline"). Is there supposed to be a build flag to enable IPS capability on Snort? I looked at my FreeBSD ports option:# make showconfig ===> The following configuration options are available for snort-2.9.4_1: BARNYARD=on: Depend on Barnyard2 DBGSNORT=off: Enable debugging symbols+core dumps FLEXRESP3=on: Enable flexible response on events (v3) GRE=on: Enable GRE support IPV6=on: IPv6 protocol LRGPCAP=off: Enable pcaps larger than 2GB MPLS=on: MPLS support NORMALIZER=on: Enable normalizer PERFPROFILE=on: Enable performance profiling PULLEDPORK=on: Depend on pulledpork REACT=on: Enable react SNORTSAM=off: Enable unofficial Snortsam patch SOURCEFIRE=on: Enable Sourcefire-specific build options TARGETBASED=on: Enable targetbased support ZLIB=on: Enable GZIP supportand couldn't seem to find any… Thanks!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "Adapter is in Passive Mode" Warning Ricky Huang (Mar 06)
- Re: "Adapter is in Passive Mode" Warning Ricky Huang (Mar 08)
- <Possible follow-ups>
- Re: "Adapter is in Passive Mode" Warning Y M (Mar 08)
- Re: "Adapter is in Passive Mode" Warning Russ Combs (Mar 08)