I added -s 64000 to the snort start line. I am confused though... for IPS mode, shouldn't I be using pipeline = 'nfq' not pipeline = 'afpacket'?
I have modified my local.lua based on @efahl suggestion:
`/etc/snort/local.lua`
config = 'IPS' -- 'IDS' or 'IPS'
pipeline = 'afpacket' -- 'afpacket' or 'nfq'
if config == 'IDS' then
mode = tap
action = 'alert'
else
mode = inline
snort = { ['-Q'] = true }
action = 'drop' -- 'block' or 'drop' or 'reject' or ???
end
if pipeline == 'afpacket' then
inputs = { 'eth1' }
vars = {}
else
inputs = { '4', '5', '6' } -- to match queue numbers in 'inet snort' table
vars = { 'device=eth1', 'queue_maxlen=8192', }
end
--------------------------------------------------------------------------------
ips = {
mode = mode,
variables = default_variables,
action_override = action,
-- include = RULE_PATH .. '/snort.rules',
include = RULE_PATH .. '/test.rules',
}
daq = {
inputs = inputs,
module_dirs = { '/usr/lib/daq', },
modules = {
{
name = pipeline,
mode = mode,
variables = vars,
}
}
}
output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
file = true,
packet = false,
}
--search_engine = { search_method = "hyperscan" }
--detection = { hyperscan_literals = true, pcre_to_regex = true }
normalizer = {
tcp = {
ips = true,
}
}
file_policy = {
enable_type = true,
enable_signature = true,
rules = {
use = {
verdict = 'log', enable_file_type = true, enable_file_signature = true
}
}
}
And to be clear, I am starting snort like this:
# snort -c /etc/snort/snort.lua -s 64000 --tweaks local