Problem
You run a Windows machine, and you want to start Snort at boot time and run it as a Windows service.
Solution
To install Snort as a service, enter:
snort /SERVICE /INSTALL
To uninstall Snort as a service, enter:
snort /SERVICE /UNINSTALL
To see the state of Snort as a service, enter:
snort /SERVICE /SHOW
Discussion
Services tend to be used for core operating system functionality such as printing, logging, and so on. Running Snort as a service allows for automated starting and, just as importantly, monitoring and restarting in case of failure. It isn't much good having an IDS if it isn't on!
Snort includes three switches to control its use as a service:
/SERVICE /INSTALL /SERIVCE /UNINSTALL /SERVICE /SHOW
Go through the normal Windows installation and configuration. Then, in the Snort directory, type snort /SERVICE /INSTALL, followed by your usual parameters. For example:
snort /SERVICE /INSTALL -de -c c:snortetcsnort.conf -l c:snortlog -i1
You should get a response similar to:
[SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: C:Snortinsnort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: HKEY_LOCAL_MACHINESOFTWARESnort [SNORT_SERVICE] Successfully added the Snort service to the Services database.
This installs Snort as a service; however, it doesn't set the service to Automatic so that it starts on boot, and it doesn't start the service either. You need to do both manually through the Windows Service manager. This is accessed through the Services shortcut under Administrative Tools in the Windows Control Panel. Scroll down the services list until you get to Snort, right-click, and then select Properties. Change the Startup type: from Manual to Automatic to get it to restart at boot, and click on the Start button under Service status to start it up immediately.
To check the status of a Snort service, and to see which options it is being passed, you need to make use of the /SHOW switch.
C:Snortin>snort /SERVICE /SHOW
which should produce the following output:
Snort is currently configured to run as a Windows service using the Following command-line parameters: -de -c c:Snortetcsnort.conf -l c:snortlog -i1
And if you decide that you no longer wish for Snort to run as a service, you can remove it by using the /UNINSTALL switch.
C:Snortin>snort /SERVICE /UNINSTALL
Which gives the following output:
[SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: HKEY_LOCAL_MACHINESOFTWARESnort [SNORT_SERVICE] Successfully removed the Snort service from the Services database.
At this point, you should reboot to ensure that the service is properly removed.
To use the automated restarting features of services, you need to change the options that are under the Recovery tab in the Service Properties window that you managed to open earlier by right-clicking on the service. Here you can specify the action to be taken on the first, second, and subsequent failures of the service.
For further information on this, you should read the documentation for your version of Windows.
See Also
Recipe 1.4
Capturing Without Putting the Interface into Promiscuous Mode |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index