Configuration files for Snort as created by the ebuild (snort.conf.distrib) should enable/disable features based on the USE flags set during compilation time. E.g. if flag "normalizer" is not set or disabled, all configuration settings in snort.conf.distrib with "preprocessor normalize_ip4" and alike should get commented out (prepended by "#"). Otherwise, the default configuration file will not work out-of-the-box. Same may hold for other USE flags such as "dynamicplugin"... Reproducible: Always
Thx for the feedback! We currently do do some cleanup on the config file that is shipped with snort, but I think you are right we could do some more. I've actually been looking at this for a little while now. I think you are right, the normalizer stuff is an easy win. It does get a little complicated though, because there are actually 2 possible configs involved depending on weather you compile snort with ipv6 or not. While I think there is some additional cleanup that could happen, I do not think setting a goal of having a working "out-of-the-box" config for all USE flag cases, is necessarily a good idea. For example, the "dynamicplugin" should always be enable if snort is being used as an IDS/IPS (that is why it is enabled by default in the ebuild). The only real use case where you might not want this is if you were solely using snort to capture and log packets (ie. no analysis) and honestly there are better applications that handle this tasks. If a user disables "dynamicplugin" and has a ready made config file that works 1) they are going to run int a lot of problems when they try to use rules that require these plugins 2)I would rather see snort fail to start than have a user think that the dynamic plug-ins are somewhat optional. But again, I do agree with you about the normalizer options. I was a little surprised to see this enabled by default in the snort.conf. Especially since I've seen this create some network havoc on inline sensors.
There line in config: include $PREPROC_RULE_PATH/sensitive-data.rules But there is no sensitive-data.rules file included. I don't know if it is dependent on some USE flag, but I thought it's not worth creating another bug.
This is actually a bug in the ebuild (kind of). That file is shipped with snort but the most current version is found in the rules tarball when you install the VRT rules. I'll make sure the default version is included in the install in the next ebuild version. Thx for pointing this out! (In reply to comment #2) > There line in config: > > include $PREPROC_RULE_PATH/sensitive-data.rules > > But there is no sensitive-data.rules file included. I don't know if it is > dependent on some USE flag, but I thought it's not worth creating another bug. >
Bug 355865 Resolves the initial normalizer issue and the sensitive-data.rules issue from comment #2. This can be marked RESOLVED when the ebuild from Bug 355865 is added to portage.
