You run a Linux machine and you want to run Snort in the background, starting up at boot time.
Snort provides a daemon mode to allow it to run in the background. This is activated by using the -D switch.
[root@frodo rules]# snort -D -c /etc/snort/snort.conf -l /var/log/snort [root@frodo rules]# ps -ef | grep snort root 10738 1 0 11:34 ? 00:00:00 snort -D -c /etc/snort/snort.conf -l /var/log/snortDiscussion
You'll probably want to run Snort like this: starting at boot and running in the background. If you want to start Snort earlier in the boot sequence, consult your system documentation as to how to edit the boot scripts.
The exact methods for starting Snort at boot vary slightly from distribution to distribution. There are likely to be some slight differences between the exact methods of setting this up on each different Linux distribution. The simplest method, if your system supports it, is to modify the /etc/rc.d/rc.local script. This script runs after all the other init scripts on the system, so your system will be unmonitored between the start of network services and the start of Snort. Add a line similar to the following to your rc.local script:
/usr/local/bin/snort -D -c /etc/snort/snort.conf -l /var/log/snort
You must verify the locations that are relevant to your particular setup. There is an example Snort startup script in /snort-2.x.x/contrib./S99snort.
Running Snort as a daemon is useful only if you are getting good notification from Snort about potential intrusions; otherwise, you are effectively ignoring it. You should refer to the other recipes regarding alerting.
Gerg, Christopher and Kerry J. Cox (eds.). "Chapter 3.3: Command Line Options." In Managing Security with Snort and IDS Tools. Sebastopol, CA: O'Reilly, 2004.
Running Snort as a Windows Service
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance