Bug 507220

Summary:	Gentoo security handbook is out of date (Snort section)
Product:	[OLD] Docs on www.gentoo.org	Reporter:	peter <peter>
Component:	Other documents	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	RESOLVED FIXED
Severity:	normal	CC:	docs-team
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.gentoo.org/doc/en/security/security-handbook.xml?style=printable&part=1&chap=13
Whiteboard:
Package list:		Runtime testing required:	---

Description peter@prh.myzen.co.uk 2014-04-09 08:48:15 UTC

As part of preparing my LAN server for exposure to the big bad world, I wanted to make it reasonably secure, and one tool for that seemed to be the snort IDS. So I installed net-analyzer/snort-2.9.6.0 via portage and tried to follow the snort section of the security handbook (URL as above).
That page refers to lots of rules in the /etc/snort/rules directory, but that directory is empty. (I assume it's where you put any rules you write yourself - this should be made clear.) So I just copied the snort.conf.distrib file to snort.conf and used that. To my surprise, I only had to comment out the blacklist and whitelist entries, because I hadn't created any lists, and it started up straight away.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2014-04-09 18:11:10 UTC

I'll do a quick edit to this regard in the security handbook.

However, I'm hoping to switch security best practice information for Gentoo from the handbook format towards the SCAP XCCDF format [1]. This is a lengthy exercise though, so I might be moving application-specific information to the Gentoo wiki first (such as the Snort info).

[1] http://dev.gentoo.org/~swift/docs/security_benchmarks/

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2014-04-09 18:18:15 UTC

There ya go, section updated. It now just tells the reader to copy the snort.conf.distrib file and perhaps comment out the blacklist / whitelist entries.

Fixed in CVS, should show up on the site in an hour or so.

Comment 3 peter@prh.myzen.co.uk 2014-04-10 08:53:59 UTC

(In reply to Sven Vermeulen from comment #2)

Thank you Sven. Very prompt!

Comment 4 peter@prh.myzen.co.uk 2014-04-10 08:57:38 UTC

(In reply to Peter Humphrey from comment #3)
> (In reply to Sven Vermeulen from comment #2)
> 
> Thank you Sven. Very prompt!

I should have added that PIDFILE ought to say /run/snort_eth0.pid, not /var/run these days. It hardly matters though.

Comment 5 peter@prh.myzen.co.uk 2014-04-10 14:49:52 UTC

One last thing (I hope!).

It appears that snort requires SNORT_CONF to be defined in /etc/conf.d/snort - at least, it wouldn't start for me without it. Also, specifying -s floods /var/log/messages with all sorts of stuff which ought to be in a snort log. Finally, including -ev causes large quantities of packet logs to accumulate.

Therefore I suggest this for /etc/conf.d/snort:

---------------
SNORT_IFACE="eth0"
PIDFILE=/run/snort_eth0.pid
MODE="full"
NETWORK="192.168.0.0/24"
LOGDIR="/var/log/snort"
SNORT_CONF="/etc/snort/snort.conf"
SNORT_OPTS="-q -D -u snort -d -l $LOGDIR -h $NETWORK -c $SNORT_CONF"
---------------

Thanks again for your help, Sven.

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2014-04-10 18:50:58 UTC

Thanks, I've updated the file accordingly.

Afaik you don't need SNORT_CONF as the example in the handbook used the $CONF variable (in your example, you use $SNORT_CONF in the $SNORT_OPTS variable). I've now used your example though (in case the snort init script also uses the $SNORT_CONF variable).