From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Snort is an intrusion prevention system, network monitor, and alert daemon.


USE flags

USE flags for net-analyzer/snort The de facto standard for intrusion detection/prevention

active-response Enables support for automatically sending TCP resets and ICMP unreachable messages to terminate connections. Used with inline deployments.
control-socket Enables Snort's control socket.
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
file-inspect Enables extended file inspection capabilities.
flexresp3 Enables support for new flexable response preprocessor for enabling connection tearing for inline deployments. Replaces flexresp and flexresp2.
gre Enable support for inspecting and processing Generic Routing Encapsulation (GRE) packet headers. Only needed if you are monitoring GRE tunnels.
high-availability Enables high-availability state sharing.
inline-init-failopen Enables support to allow traffic to pass (fail-open) through inline deployments while snort is starting and not ready to begin inspecting traffic. If this option is not enabled, network traffic will not pass (fail-closed) until snort has fully started and is ready to perform packet inspection.
large-pcap-64bit Allows Snort to read pcap files that are larger than 2 GB. ONLY VALID FOR 64bit SYSTEMS!
libtirpc Build against net-libs/libtirpc for RPC support
linux-smp-stats Enable accurate statistics reporting through /proc on systems with multiple processors.
non-ether-decoders Enable decoding of non-ethernet protocols such as TokenRing, FDDI, IPX, etc.
open-appid Enable OpenAppID, an open, application-focused detection language and processing module for Snort that enables users to create, share, and implement application detection. Requires dev-lang/luajit.
perfprofiling Enables support for preprocessor and rule performance profiling using the perfmonitor preprocessor.
ppm Enables support for setting per rule or per packet latency limits. Helps protect against introducing network latency with inline deployments.
react Enables support for the react rule keyword. Supports interception, termination, and redirection of HTTP connections.
reload-error-restart Enables support for completely restarting snort if an error is detected during a reload.
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
shared-rep Enables the use of shared memory for the Reputation Preprocessor (Only available on Linux systems)
side-channel Enables Snort's side channel.
sourcefire Enables Sourcefire specific build options, which include --enable-perfprofiling and --enable-ppm.
threads Add threads support for various packages. Usually pthreads


root #emerge --ask snort


Gentoo requires snort users to define the interface being monitored the /etc/conf.d/snort configuration file.

Snort ships with an example config that must be moved and edited:

root #cp /etc/snort/snort.conf.distrib /etc/snort/snort.conf


white_list.rules and black_list.rules file not found

PROBLEM: Unable to open address file /etc/snort/white_list.rules or /etc/snort/black_list.rules, Error: No such file or directory

SOLUTION: create those 2 files in /etc/snort/ or /etc/snort/rules/ directory and change the location appropriately in /etc/snort/snort.conf

FATAL ERROR: Can't initialize DAQ afpacket (-1) -

PROBLEM: Snort daemon fails to load with the error 'FATAL ERROR: Can't initialize DAQ afpacket (-1) -'

SOLUTION: Install the package net-libs/libnetfilter_queue and enable the kernel option CONFIG_NETFILTER_NETLINK_QUEUE, after that in snort.conf change the option config daq: afpacket too config daq: pcap

Boot services


To start snort at boot:

root #rc-update add snort default

To start snort immediately:

root #rc-service snort start

See also

  • Wireshark — a free and open-source packet analyzer.

External Resources