Snort3 (Systemd)

Running and Testing

    [root]# chown -R snort:snort /usr/local/snort
    [root]# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
                --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort
                -D -u snort -g snort --create-pidfile -k none --warn-all

    [root]# ps aux | grep snort

        snort  943449 ...  /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
        --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort -D -u snort -g snort
        --create-pidfile -k none --warn-all

    [root]# killall snort

Systemd

    ・Unit file

    [root]# vim /usr/lib/systemd/system/snortd.service

      [Unit]
      Description=Snort 3 Intrusion Detection and Prevention service
      After=syslog.target network.target

      [Service]
      Type=simple
      ProtectSystem = true
      ProtectHome = true
      ReadWritePaths = /usr/local/snort /var/log/snort
      ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua \
                            --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort \
                            -D -u snort -g snort --create-pidfile -k none
      ExecReload=/bin/kill -SIGHUP $MAINPID
      User=snort
      Group=snort
      Restart=on-failure
      RestartSec=5s
      CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK
      AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK

      [Install]
      WantedBy=multi-user.target

    [root]# cp -v /usr/lib/systemd/system/snortd.service /etc/systemd/system

    ・Reload systemd

    [root]# systemctl daemon-reload

    ・Start the service

    [root]# systemctl { start stop reload-or-restart status } snortd

    ・Enable the service

    [root]# systemctl { enable disable } snortd

    ・Enable and start the service

    [root]# systemctl enable --now snortd

    ・Disable and stop the service

    [root]# systemctl disable --now snortd

    ・Confirm

    [root]# ps aux | grep snort
    [root]# systemctl -l status snortd.service