snort - LEGACY MODE ?

chudak

Hello all,

My snort configuration shows LEGACY MODE for Blocking Mode

Is it right?
I am pretty sure it was something different (have not touched it for long time). Should I change it? How?

Thx

teamits

That's the default. See https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions

bmeeks

Yes, as @teamits said, that is the original (and still default) blocking mode that uses a custom plugin along with the libpcap library. The new mode, Inline IPS, became available in a recent package update. The new mode, when enabled, uses the netmap kernel device. However, that mode is highly dependent on having a netmap-compatible NIC. Not all hardware can use Inline IPS mode, and some configurations won't work properly with that mode even when you have compatible hardware. Examples are PPPoE interfaces and certain VLAN setups.

chudak

@bmeeks thx!

I also used to have Barnyard2 enabled.
See no in the interface line now. Is it some recent change ?

bmeeks

@chudak said in snort - LEGACY MODE ?:

@bmeeks thx!

I also used to have Barnyard2 enabled.
See no in the interface line now. Is it some recent change ?

Barnyard2 was removed because it is no longer actively maintained in FreeBSD ports and it pulled in ancient mysql57 libraries that had unpatched security vulnerabilities that would never be patched because that version of mysql is deprecated.

chudak

@bmeeks

Thx!

Happy Holidays!