the snort-1.9 ebuild doesen't install the reference.config file which snort
apparently needs to start up.
There are some more files in the snort-dist, which doesen't seem to be
important - for snort at least! :)
Created attachment 6240 [details, diff]
Bouncing back to bug-wranglers due to time constraints.
As far as I can see, there actually was a security-warning release about snort < 1.9.1, which tells people to install the new version.
If someone actually installs the new version without the old one previously installed, they won't get it working!
or, my brain is broken - In any case you should get this bug closed one way or the other! :P
And while I'm at it, why the hell is '-dev' set as options in the default config?
Try running snort with the params given by default:
/usr/bin/snort -u snort -i eth0 -dev -l /var/log/snort -c /etc/snort/snort.conf
As you will see, the result is snort wasting alot of time printing the raw data to stdout which in the startupscript is redirected to /dev/null ..
Also, '-A fast -ab' are nice options but that's another matter ;]
This is preventing me from getting snort to work properly...
update; i'll attach a fixed/updated ebuild for snort-1.9.1 that fixes these issues that exist with current ebuild:
- reference.config is now being installed.
- var RULE_PATH is now sane with regards to the actual installation made by the ebuild. (now it points to the actual directory the rules lay;)
- /etc/conf.d/snort now does NOT use '-v' argument by default, I quote from the manpage as to why this should not be used (if you look away from the obvious one with snort sending output to stdout which is redirected to /dev/null by init-script:
-v Be verbose. Prints packets out to the console. There is one
big problem with verbose mode: it's slow. If you are doing IDS
work with Snort, don't use the '-v' switch, you WILL drop pack-
Created attachment 10291 [details]
fixed ebuild for snort-1.9.1
Created attachment 10292 [details]
conf.d/snort, fixed to NOT include '-v' by default.
Created attachment 10293 [details]
patch used by the ebuild to fix 'var RULE_PATH' to sane value.
2.0 is stable cause of GLSA