Running and Testing
[root]# chown -R snort:snort /usr/local/snort
[root]# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort
-D -u snort -g snort --create-pidfile -k none --warn-all
[root]# ps aux | grep snort
snort 943449 ... /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
--plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort -D -u snort -g snort
--create-pidfile -k none --warn-all
[root]# killall snort
Systemd
・Unit file
[root]# vim /usr/lib/systemd/system/snortd.service
[Unit]
Description=Snort 3 Intrusion Detection and Prevention service
After=syslog.target network.target
[Service]
Type=simple
ProtectSystem = true
ProtectHome = true
ReadWritePaths = /usr/local/snort /var/log/snort
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua \
--plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort \
-D -u snort -g snort --create-pidfile -k none
ExecReload=/bin/kill -SIGHUP $MAINPID
User=snort
Group=snort
Restart=on-failure
RestartSec=5s
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK
[Install]
WantedBy=multi-user.target
[root]# cp -v /usr/lib/systemd/system/snortd.service /etc/systemd/system
・Reload systemd
[root]# systemctl daemon-reload
・Start the service
[root]# systemctl { start stop reload-or-restart status } snortd
・Enable the service
[root]# systemctl { enable disable } snortd
・Enable and start the service
[root]# systemctl enable --now snortd
・Disable and stop the service
[root]# systemctl disable --now snortd
・Confirm
[root]# ps aux | grep snort
[root]# systemctl -l status snortd.service