snort (net/snort) Updated: 2 months, 4 weeks ago Add to my watchlist

Open Source Network Intrusion Detection System

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Version: 2.9.18.1 License: GPL-2 GitHub
Maintainers No Maintainer
Categories net
Homepage https://www.snort.org/
Platforms darwin freebsd
Variants
  • if_en0 (Snort launch daemon interface en0)
  • if_en1 (Snort launch daemon interface en1)
  • universal (Build for multiple architectures)

"snort" depends on

lib (4)
build (2)

Ports that depend on "snort"



Port notes

***** File locations *****

The Snort database schemas -> ${prefix}/share/snort/schemas
The snort.conf sample file -> ${prefix}/share/examples/snort/snort.conf.dist
If it doesn't exist before, the sample config is copied to ${prefix}/etc/snort.conf

NOTE: Make sure you do not change the location of the snort.conf file or the startup scripts will not be able to find it.

*Please download rules from https://www.snort.org/downloads/#rule-downloads either manually or with oinkmaster.*
Oinkmaster is the recommended way with regular updates.

Change at least your HOME_NET in snort.conf and Validate your config with
$ snort -T -c ${prefix}/etc/snort/snort.conf

By default ${prefix}/share/snort/snort.sh is configured to listen only on en0 interface.
If you want to listen multiple interface, you need to start one snort instance per interface (or bond them)

$ grep 'Snort rules read' /var/log/system.log
$ egrep '^output' ${prefix}/etc/snort/snort.conf
If you get empty touched logs, try also to set:
ipvar EXTERNAL_NET !$HOME_NET
instead of any

You can test that snort is functioning by using these tools:
ftp http://$EXTERNAL_HOST/cmd.exe
ftp http://lteo.net/cmd.exe
http://testmyids.com
nmap, IDSWakeup, pytbull, metasploit

To use blacklist/whitelist, see
http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/
http://systemnoise.com/wordpress/?p=89
http://labs.snort.org/iplists/ A startup item has been generated that will aid in starting snort with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:

sudo port load snort


Port Health:

- No history in app's database

Installations (30 days)

2

Requested Installations (30 days)

2