|
Title: snort in 2.3 Post by: killbuddy on Wednesday 17 February 2010, 03:03:07 pm i have been using endian for a of days and i have noticed that i am getting messages from snort saying that it is running in IDS mode. Other errors/notice messages i have been getting include the following:
"Running in IDS mode" "Cannot set uid and gid when running Snort in inline mode." "Not Using PCAP_FAMES" I have installed endian with the default install and started snort. I have set some rules to drop packets instead of alert on them and rebooted the system. I just don't know if they are getting dropped or not without putting a packet sniffer on my LAN to verify. I guess my question is "How would i get snort to run in IPS mode instead of IDS mode?" Title: Re: snort in 2.3 Post by: Saltee on Sunday 21 February 2010, 11:21:45 pm I have the same issue but it does look like Snort is running in IPS (inline mode suggests this). I have not done any actual sniffing yet to see what's going on as not really had time and have another ids/ips upstream. One day I will have a look but it's low on my list.
this link explains PCAP_Frames very well (nice page Leon W) http ://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/ It would be interesting to hear other opinions re this. |