snort - LEGACY MODE ?
-
Hello all,
My snort configuration shows LEGACY MODE for Blocking Mode
Is it right?
I am pretty sure it was something different (have not touched it for long time). Should I change it? How?Thx
-
That's the default. See https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions
-
Yes, as @teamits said, that is the original (and still default) blocking mode that uses a custom plugin along with the libpcap library. The new mode, Inline IPS, became available in a recent package update. The new mode, when enabled, uses the
netmap
kernel device. However, that mode is highly dependent on having a netmap-compatible NIC. Not all hardware can use Inline IPS mode, and some configurations won't work properly with that mode even when you have compatible hardware. Examples are PPPoE interfaces and certain VLAN setups. -
@bmeeks thx!
I also used to have Barnyard2 enabled.
See no in the interface line now. Is it some recent change ? -
@chudak said in snort - LEGACY MODE ?:
@bmeeks thx!
I also used to have Barnyard2 enabled.
See no in the interface line now. Is it some recent change ?Barnyard2 was removed because it is no longer actively maintained in FreeBSD ports and it pulled in ancient
mysql57
libraries that had unpatched security vulnerabilities that would never be patched because that version ofmysql
is deprecated. -