This is an umbrella bug for all bugs in snort and Guardian with security impact.
(See also: https://wiki.ipfire.org/devel/telco/2017-11-06)
Raise again https://wiki.ipfire.org/devel/telco/2018-01-08
It turned out that most of these have their source in the Snort configuration and/or IPFires network architecture (especially #10273).
Most of them have their origin in snort being absolute shite :)
Remember that originally, snort in IPFire was only a host IDS. This has been
(half?) repurposed as network IDS. Hence all these problems. Not supposed to
justify anything, just to explain.
Yesterday, we settled on migrating to Suricata in IPFire 2.x for several reasons:
- Suricata is already settled for 3.x, too
- Snort lacks some important features (multithreading, multiple nfqueues)
- Suricata is under active development (at least more active than Snort)
- Suricata lacks built-in portscan detection, but that is not too bad
- Suricata has built-in IPS mode so we have an alternative to Guardian here
Umbrella bug #11801 contains all steps we need to do for finishing this task.
See also: https://lists.ipfire.org/pipermail/development/2018-July/004612.html
All of the bugs currently filed here are expected to be solved afterwards.
All targeted bugs are fixed, so I ensure that this bug can be closed.
Feel free to re-open if any new one appears and this umbrella bug is required again to structure the development process.