This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Snort
Snort is an intrusion prevention system, network monitor, and alert daemon.
Installation
USE flags
USE flags for net-analyzer/snort The de facto standard for intrusion detection/prevention
+active-response
|
Enables support for automatically sending TCP resets and ICMP unreachable messages to terminate connections. Used with inline deployments. |
+flexresp3
|
Enables support for new flexable response preprocessor for enabling connection tearing for inline deployments. Replaces flexresp and flexresp2. |
+gre
|
Enable support for inspecting and processing Generic Routing Encapsulation (GRE) packet headers. Only needed if you are monitoring GRE tunnels. |
+libtirpc
|
Build against net-libs/libtirpc for RPC support |
+non-ether-decoders
|
Enable decoding of non-ethernet protocols such as TokenRing, FDDI, IPX, etc. |
+perfprofiling
|
Enables support for preprocessor and rule performance profiling using the perfmonitor preprocessor. |
+ppm
|
Enables support for setting per rule or per packet latency limits. Helps protect against introducing network latency with inline deployments. |
+react
|
Enables support for the react rule keyword. Supports interception, termination, and redirection of HTTP connections. |
+threads
|
Add threads support for various packages. Usually pthreads |
control-socket
|
Enables Snort's control socket. |
debug
|
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces |
file-inspect
|
Enables extended file inspection capabilities. |
high-availability
|
Enables high-availability state sharing. |
inline-init-failopen
|
Enables support to allow traffic to pass (fail-open) through inline deployments while snort is starting and not ready to begin inspecting traffic. If this option is not enabled, network traffic will not pass (fail-closed) until snort has fully started and is ready to perform packet inspection. |
large-pcap-64bit
|
Allows Snort to read pcap files that are larger than 2 GB. ONLY VALID FOR 64bit SYSTEMS! |
linux-smp-stats
|
Enable accurate statistics reporting through /proc on systems with multiple processors. |
open-appid
|
Enable OpenAppID, an open, application-focused detection language and processing module for Snort that enables users to create, share, and implement application detection. Requires dev-lang/luajit. |
reload-error-restart
|
Enables support for completely restarting snort if an error is detected during a reload. |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
shared-rep
|
Enables the use of shared memory for the Reputation Preprocessor (Only available on Linux systems) |
side-channel
|
Enables Snort's side channel. |
sourcefire
|
Enables Sourcefire specific build options, which include --enable-perfprofiling and --enable-ppm. |
Emerge
root #emerge --ask snortConfiguration
Gentoo requires snort users to define the interface being monitored the /etc/conf.d/snort configuration file.
Snort ships with an example config that must be moved and edited:
root #cp /etc/snort/snort.conf.distrib /etc/snort/snort.confTroubleshooting
white_list.rules and black_list.rules file not found
PROBLEM: Unable to open address file /etc/snort/white_list.rules or /etc/snort/black_list.rules, Error: No such file or directory
SOLUTION: create those 2 files in /etc/snort/ or /etc/snort/rules/ directory and change the location appropriately in /etc/snort/snort.conf
FATAL ERROR: Can't initialize DAQ afpacket (-1) -
PROBLEM: Snort daemon fails to load with the error 'FATAL ERROR: Can't initialize DAQ afpacket (-1) -'
SOLUTION: Install the package net-libs/libnetfilter_queue and enable the kernel option CONFIG_NETFILTER_NETLINK_QUEUE, after that in snort.conf change the option config daq: afpacket too config daq: pcap
Boot services
OpenRC
To start snort at boot:
root #rc-update add snort defaultTo start snort immediately:
root #rc-service snort start