Explanation of Modes

Next: Control socket Up: Snort Modes Previous: Snort Modes Contents

Explanation of Modes

Inline
When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be configured to run in inline mode using the command line argument -Q and snort config option policy_mode as follows:
```
    snort -Q
    config policy_mode:inline
```
Passive
When Snort is in Passive mode, it acts as a IDS. Drop rules are not loaded (without -treat-drop-as-alert). Snort can be configured to passive mode using the snort config option policy_mode as follows:
```
    config policy_mode:tap
```
Inline-Test
Inline-Test mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting traffic. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. Snort can be configured to run in inline-test mode using the command line option (-enable-inline-test) or using the snort config option policy_mode as follows:
```
    snort --enable-inline-test
    config policy_mode:inline_test
```
Note:
Please note -enable-inline-test cannot be used in conjunction with -Q.

Behavior of different modes with rule options

Rule Option Inline Mode Passive Mode Inline-Test Mode

reject Drop + Response Alert + Response Wdrop + Response

react Blocks and send notice Blocks and send notice Blocks and send notice

normalize Normalizes packet Doesn't normalize Doesn't normalize

replace replace content Doesn't replace Doesn't replace

respond close session close session close session

Behavior of different modes with rules actions

Adapter Mode Snort args config policy_mode Drop Rule Handling

Passive -treat-drop-as-alert tap Alert

Passive no args tap Not Loaded

Passive -treat-drop-as-alert inline_test Alert

Passive no args inline_test Would Drop

Passive -treat-drop-as-alert inline Alert

Passive no args inline Not loaded + warning

Inline Test -enable-inline-test -treat-drop-as-alert tap Alert

Inline Test -enable-inline-test tap Would Drop

Inline Test -enable-inline-test -treat-drop-as-alert inline_test Alert

Inline Test -enable-inline-test inline_test Would Drop

Inline Test -enable-inline-test -treat-drop-as-alert inline Alert

Inline Test -enable-inline-test inline Would Drop

Inline -Q -treat-drop-as-alert tap Alert

Inline -Q tap Alert

Inline -Q -treat-drop-as-alert inline_test Alert

Inline -Q inline_test Would Drop

Inline -Q -treat-drop-as-alert inline Alert

Inline -Q inline Drop

Next: Control socket Up: Snort Modes Previous: Snort Modes Contents

Eugene Misnik 2013-05-08

Rule Option	Inline Mode	Passive Mode	Inline-Test Mode
`reject`	Drop + Response	Alert + Response	Wdrop + Response
`react`	Blocks and send notice	Blocks and send notice	Blocks and send notice
`normalize`	Normalizes packet	Doesn't normalize	Doesn't normalize
`replace`	replace content	Doesn't replace	Doesn't replace
`respond`	close session	close session	close session

Adapter Mode	Snort args	config policy_mode	Drop Rule Handling
Passive	`-treat-drop-as-alert`	tap	Alert
Passive	`no args`	tap	Not Loaded
Passive	`-treat-drop-as-alert`	inline_test	Alert
Passive	`no args`	inline_test	Would Drop
Passive	`-treat-drop-as-alert`	inline	Alert
Passive	`no args`	inline	Not loaded + warning
Inline Test	`-enable-inline-test -treat-drop-as-alert`	tap	Alert
Inline Test	`-enable-inline-test`	tap	Would Drop
Inline Test	`-enable-inline-test -treat-drop-as-alert`	inline_test	Alert
Inline Test	`-enable-inline-test`	inline_test	Would Drop
Inline Test	`-enable-inline-test -treat-drop-as-alert`	inline	Alert
Inline Test	`-enable-inline-test`	inline	Would Drop
Inline	`-Q -treat-drop-as-alert`	tap	Alert
Inline	`-Q`	tap	Alert
Inline	`-Q -treat-drop-as-alert`	inline_test	Alert
Inline	`-Q`	inline_test	Would Drop
Inline	`-Q -treat-drop-as-alert`	inline	Alert
Inline	`-Q`	inline	Drop