EFW Support

Support => General Support => Topic started by: killbuddy on Wednesday 17 February 2010, 03:03:07 pm



Title: snort in 2.3
Post by: killbuddy on Wednesday 17 February 2010, 03:03:07 pm
i have been using endian for a  of days and i have noticed that i am getting messages from snort saying that it is running in IDS mode.  Other errors/notice messages i have been getting include the following:

"Running in IDS mode"
"Cannot set uid and gid when running Snort in inline mode."
"Not Using PCAP_FAMES"

I have installed endian with the default install and started snort.  I have set some rules to drop packets instead of alert on them and rebooted the system.  I just don't know if they are getting dropped or not without putting a packet sniffer on my LAN to verify.

I guess my question is "How would i get snort to run in IPS mode instead of IDS mode?"


Title: Re: snort in 2.3
Post by: Saltee on Sunday 21 February 2010, 11:21:45 pm
I have the same issue but it does look like Snort is running in IPS (inline mode suggests this).  I have not done any actual sniffing yet to see what's going on as not really had time and have another ids/ips upstream.  One day I will have a look but it's low on my list.

this link explains PCAP_Frames very well (nice page Leon W)
http ://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/

It would be interesting to hear other opinions re this.