Snort3 (Systemd)

Running and Testing

    [root]# chown -R snort:snort /usr/local/snort
    [root]# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
                --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort
                -D -u snort -g snort --create-pidfile -k none

    [root]# ps aux | grep snort

        snort  943449 ...  /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
        --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort -D -u snort -g snort
        --create-pidfile -k none

    [root]# killall snort

Systemd

    ・Unit file

    [root]# vim /etc/systemd/system/snortd.service

[Unit]
Description=Snort 3 Intrusion Detection and Prevention service
After=syslog.target network.target

[Service]
Type = simple
Environment=SYSTEMD_LOG_LEVEL=debug,console:info
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort -D -u snort -g snort --create-pidfile -k none
KillMode = control-group
ExecReload=/bin/kill -SIGHUP $MAINPID
Restart = on-failure
RestartSec = 10s

SystemCallArchitectures = native
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
#× SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
#× SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
#× SystemCallFilter=~@resources
SystemCallFilter=~@swap

RestrictRealtime = yes

RemoveIPC = yes
PrivateIPC = yes

CapabilityBoundingSet =~ CAP_SYS_TIME CAP_SYS_PACCT CAP_KILL CAP_WAKE_ALARM \
    CAP_(DAC_*|FOWNER|IPC_OWNER) CAP_BPF CAP_LINUX_IMMUTABLE \
    CAP_IPC_LOCK CAP_SYS_MODULE CAP_SYS_TTY_CONFIG CAP_SYS_BOOT CAP_SYS_CHROOT \
    CAP_BLOCK_SUSPEND CAP_LEASE CAP_(CHOWN|FSETID|SETFCAP) CAP_SET(UID|GID|PCAP) \
    CAP_SYS_PTRACE CAP_SYS_(NICE|RESOURCE) CAP_SYS_RAWIO CAP_NET_ADMIN \
    CAP_NET_(BIND_SERVICE|BROADCAST|RAW) CAP_AUDIT_* CAP_SYS_ADMIN CAP_SYSLOG \
    CAP_MKNOD CAP_MAC_*

#× CapabilityBoundingSet =
#× RestrictAddressFamilies =~ AF_PACKET AF_NETLINK

UMask = 0077

ProtectSystem = strict
PrivateTmp = yes
PrivateMounts = yes
ProtectHome = yes
ReadWritePaths = /usr/local/snort /var/log/snort

PrivateDevices = yes
ProtectClock = yes
ProtectKernelLogs = yes
ProtectKernelModules = yes
ProtectKernelTunables = yes
ProtectControlGroups = yes

NoNewPrivileges = yes
#× MemoryDenyWriteExecute = yes
ProcSubset = pid

RestrictSUIDSGID = yes
ProtectHostname = yes
LockPersonality = yes
ProtectProc = invisible

[Install]
WantedBy=multi-user.target

    ・Reload systemd

    [root]# systemctl daemon-reload

    ・systemd security score

    [root]# systemd-analyze security snortd.service

    → Overall exposure level for snortd.service: 4.1 OK

    ・Start the service

    [root]# systemctl { start stop reload-or-restart status } snortd.service

    ・Enable the service

    [root]# systemctl { enable disable } snortd.service

    ・Enable and start the service

    [root]# systemctl enable --now snortd.service

    ・Disable and stop the service

    [root]# systemctl disable --now snortd.service

    ・Confirm

    [root]# ps aux | grep snort
    [root]# systemctl -l status snortd.service