Maintainers	No Maintainer
Categories	net
Homepage	https://www.snort.org/
Platforms	darwin freebsd
Variants	if_en0 (Snort launch daemon interface en0) if_en1 (Snort launch daemon interface en1) universal (Build for multiple architectures)

"snort" depends on

lib (4)

build (2)

Ports that depend on "snort"

run (1)

Port notes

***** File locations *****

The Snort database schemas -> ${prefix}/share/snort/schemas
The snort.conf sample file -> ${prefix}/share/examples/snort/snort.conf.dist
If it doesn't exist before, the sample config is copied to ${prefix}/etc/snort.conf

NOTE: Make sure you do not change the location of the snort.conf file or the startup scripts will not be able to find it.

*Please download rules from https://www.snort.org/downloads/#rule-downloads either manually or with oinkmaster.*
Oinkmaster is the recommended way with regular updates.

Change at least your HOME_NET in snort.conf and Validate your config with
$ snort -T -c ${prefix}/etc/snort/snort.conf

By default ${prefix}/share/snort/snort.sh is configured to listen only on en0 interface.
If you want to listen multiple interface, you need to start one snort instance per interface (or bond them)

$ grep 'Snort rules read' /var/log/system.log
$ egrep '^output' ${prefix}/etc/snort/snort.conf
If you get empty touched logs, try also to set:
ipvar EXTERNAL_NET !$HOME_NET
instead of any

You can test that snort is functioning by using these tools:
ftp http://$EXTERNAL_HOST/cmd.exe
ftp http://lteo.net/cmd.exe
http://testmyids.com
nmap, IDSWakeup, pytbull, metasploit

To use blacklist/whitelist, see
http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/
http://systemnoise.com/wordpress/?p=89
http://labs.snort.org/iplists/ A startup item has been generated that will aid in starting snort with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:

sudo port load snort