Snort

Snort is an intrusion prevention system, network monitor, and alert daemon.

Configuration
Gentoo requires snort users to define the interface being monitored the configuration file.

Snort ships with an example config that must be moved and edited:

white_list.rules and black_list.rules file not found
PROBLEM: Unable to open address file /etc/snort/white_list.rules or /etc/snort/black_list.rules, Error: No such file or directory

SOLUTION: create those 2 files in /etc/snort/ or /etc/snort/rules/ directory and change the location appropriately in /etc/snort/snort.conf

FATAL ERROR: Can't initialize DAQ afpacket (-1) -
PROBLEM: Snort daemon fails to load with the error 'FATAL ERROR: Can't initialize DAQ afpacket (-1) -'

SOLUTION: Install the package net-libs/libnetfilter_queue and enable the kernel option CONFIG_NETFILTER_NETLINK_QUEUE, after that in snort.conf change the option config daq: afpacket too config daq: pcap

OpenRC
To start snort at boot:

To start snort immediately:

External Resources

 * https://wiki.archlinux.org/index.php/Snort
 * http://oinkmaster.sourceforge.net/