Snort

From Gentoo Wiki
Jump to: navigation, search
This article is a stub. You can help by expanding it.
Resources

Snort is an intrusion prevention system, network monitor, and alert daemon.

Installation

USE flags

USE flags for net-analyzer/snort The de facto standard for intrusion detection/prevention

active-response Enables support for automatically sending TCP resets and ICMP unreachable messages to terminate connections. Used with inline deployments. local
control-socket Enables Snort's control socket. local
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces global
file-inspect Enables extended file inspection capabilities. local
flexresp3 Enables support for new flexable response preprocessor for enabling connection tearing for inline deployments. Replaces flexresp and flexresp2. local
gre Enable support for inspecting and processing Generic Routing Encapsulation (GRE) packet headders. Only needed if you are monitoring GRE tunnels. local
high-availability Enables high-availability state sharing. local
inline-init-failopen Enables support to allow traffic to pass (fail-open) through inline deployments while snort is starting and not ready to begin inspecting traffic. If this option is not enabled, network traffic will not pass (fail-closed) until snort has fully started and is ready to perform packet inspection. local
large-pcap-64bit Allows Snort to read pcap files that are larger than 2 GB. ONLY VALID FOR 64bit SYSTEMS! local
libtirpc Build against net-libs/libtirpc for RPC support local
linux-smp-stats Enable accurate statistics reporting through /proc on systems with multipule processors. local
non-ether-decoders Enable decoding of non-ethernet protocols such as TokenRing, FDDI, IPX, etc. local
perfprofiling Enables support for preprocessor and rule performance profiling using the perfmonitor preprocessor. local
ppm Enables support for setting per rule or per packet latency limits. Helps protect against introducing network latency with inline deployments. local
react Enables support for the react rule keyword. Supports interception, termination, and redirection of HTTP connections. local
reload-error-restart Enables support for completely restarting snort if an error is detected durring a reload. local
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
shared-rep Enables the use of shared memory for the Reputation Preprocessor (Only available on Linux systems) local
side-channel Enables Snort's the side channel. local
sourcefire Enables Sourcefire specific build options, which include --enable-perfprofiling and --enable-ppm. local
static !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically global
threads Add threads support for various packages. Usually pthreads global

Emerge

root #emerge --ask snort

Configuration

Gentoo requires snort users to define the interface being monitored the /etc/conf.d/snort configuration file.

Snort ships with an example config that must be moved and edited:

root #cp /etc/snort/snort.conf.distrib /etc/snort/snort.conf

Troubleshooting

white_list.rules and black_list.rules file not found

PROBLEM: Unable to open address file /etc/snort/white_list.rules or /etc/snort/black_list.rules, Error: No such file or directory

SOLUTION: create those 2 files in /etc/snort/ or /etc/snort/rules/ directory and change the location appropriately in /etc/snort/snort.conf

FATAL ERROR: Can't initialize DAQ afpacket (-1) -

PROBLEM: Snort daemon fails to load with the error 'FATAL ERROR: Can't initialize DAQ afpacket (-1) -'

SOLUTION: Install the package net-libs/libnetfilter_queue and enable the kernel option CONFIG_NETFILTER_NETLINK_QUEUE, after that in snort.conf change the option config daq: afpacket too config daq: pcap

Boot services

OpenRC

To start snort at boot:

root #rc-update add snort default

To start snort immediately:

root #rc-service snort start

See also

External Resources