As part of preparing my LAN server for exposure to the big bad world, I wanted to make it reasonably secure, and one tool for that seemed to be the snort IDS. So I installed net-analyzer/snort-2.9.6.0 via portage and tried to follow the snort section of the security handbook (URL as above). That page refers to lots of rules in the /etc/snort/rules directory, but that directory is empty. (I assume it's where you put any rules you write yourself - this should be made clear.) So I just copied the snort.conf.distrib file to snort.conf and used that. To my surprise, I only had to comment out the blacklist and whitelist entries, because I hadn't created any lists, and it started up straight away. Reproducible: Always
I'll do a quick edit to this regard in the security handbook. However, I'm hoping to switch security best practice information for Gentoo from the handbook format towards the SCAP XCCDF format [1]. This is a lengthy exercise though, so I might be moving application-specific information to the Gentoo wiki first (such as the Snort info). [1] http://dev.gentoo.org/~swift/docs/security_benchmarks/
There ya go, section updated. It now just tells the reader to copy the snort.conf.distrib file and perhaps comment out the blacklist / whitelist entries. Fixed in CVS, should show up on the site in an hour or so.
(In reply to Sven Vermeulen from comment #2) Thank you Sven. Very prompt!
(In reply to Peter Humphrey from comment #3) > (In reply to Sven Vermeulen from comment #2) > > Thank you Sven. Very prompt! I should have added that PIDFILE ought to say /run/snort_eth0.pid, not /var/run these days. It hardly matters though.
One last thing (I hope!). It appears that snort requires SNORT_CONF to be defined in /etc/conf.d/snort - at least, it wouldn't start for me without it. Also, specifying -s floods /var/log/messages with all sorts of stuff which ought to be in a snort log. Finally, including -ev causes large quantities of packet logs to accumulate. Therefore I suggest this for /etc/conf.d/snort: --------------- SNORT_IFACE="eth0" PIDFILE=/run/snort_eth0.pid MODE="full" NETWORK="192.168.0.0/24" LOGDIR="/var/log/snort" SNORT_CONF="/etc/snort/snort.conf" SNORT_OPTS="-q -D -u snort -d -l $LOGDIR -h $NETWORK -c $SNORT_CONF" --------------- Thanks again for your help, Sven.
Thanks, I've updated the file accordingly. Afaik you don't need SNORT_CONF as the example in the handbook used the $CONF variable (in your example, you use $SNORT_CONF in the $SNORT_OPTS variable). I've now used your example though (in case the snort init script also uses the $SNORT_CONF variable).
