Snort

From Gentoo Wiki
Jump to: navigation, search
This article is a stub. You can help by expanding it.
Resources

Snort is an intrusion prevention system, network monitor, and alert daemon.

Installation

USE flags

Cannot load package information. Is the atom net-analyzer/snort correct?

Emerge

root #emerge --ask snort

Configuration

Gentoo requires snort users to define the interface being monitored the /etc/conf.d/snort configuration file.

Snort ships with an example config that must be moved and edited:

root #cp /etc/snort/snort.conf.distrib /etc/snort/snort.conf

Troubleshooting

white_list.rules and black_list.rules file not found

PROBLEM: Unable to open address file /etc/snort/white_list.rules or /etc/snort/black_list.rules, Error: No such file or directory

SOLUTION: create those 2 files in /etc/snort/ or /etc/snort/rules/ directory and change the location appropriately in /etc/snort/snort.conf

FATAL ERROR: Can't initialize DAQ afpacket (-1) -

PROBLEM: Snort daemon fails to load with the error 'FATAL ERROR: Can't initialize DAQ afpacket (-1) -'

SOLUTION: Install the package net-libs/libnetfilter_queue and enable the kernel option CONFIG_NETFILTER_NETLINK_QUEUE, after that in snort.conf change the option config daq: afpacket too config daq: pcap

Boot services

OpenRC

To start snort at boot:

root #rc-update add snort default

To start snort immediately:

root #rc-service snort start

See also

External Resources