Emerged prelude as described in the manual. Added 'prelude' to use-flags and emerged snort. No errors. Modified snort.conf and added: output alert_prelude: async, classification_file=/etc/snort/prelude-classification.config Ran: sensor-adduser -s snort -m 127.0.0.1 -u 0 Prelude is dumping in a mysql database and the results are shown in piwi. If I use prelude-nids, everything is working fine. I see some alerts in piwi. If I replace prelude-nids with snort, I can see alerts in /var/log/snort/alert, but nothing in piwi. I ran portscans and other things to generate alerts. I have not changed anything in /etc/conf.d, so everything is like a fresh install. Snort is running as user snort (with uid 1000). Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 24538 [details] Output of snort
Created attachment 24539 [details] Prelude-manager output
please attach the output of 'emerge info'.
Created attachment 24541 [details] snort.conf
Created attachment 24542 [details] emerge info
The prelude plugin for snort does not handle -u/-g flags properly. Either run snort as root or change to prelude-nids. I will notify the patch author about the issue, and update the ebuild once the issue has been resolved. If you decide to run snort as root please take a look at GRSecurity, SELinux or systrace to restrict the power of snort. You could also run snort in a chroot enviroment: add "-t /var/log/snort" to the command line. You might need to change log directory path to "." if you do this and use any other output format then alert_prelude.