Running Snort as a Windows Service


You run a Windows machine, and you want to start Snort at boot time and run it as a Windows service.


To install Snort as a service, enter:


To uninstall Snort as a service, enter:


To see the state of Snort as a service, enter:




Services tend to be used for core operating system functionality such as printing, logging, and so on. Running Snort as a service allows for automated starting and, just as importantly, monitoring and restarting in case of failure. It isn't much good having an IDS if it isn't on!

Snort includes three switches to control its use as a service:




Go through the normal Windows installation and configuration. Then, in the Snort directory, type snort /SERVICE /INSTALL, followed by your usual parameters. For example:

snort /SERVICE /INSTALL -de -c c:snortetcsnort.conf -l

c:snortlog -i1

You should get a response similar to:

[SNORT_SERVICE] Attempting to install the Snort service.

[SNORT_SERVICE] The full path to the Snort binary appears to be:

 C:Snortinsnort /SERVICE

[SNORT_SERVICE] Successfully added registry keys to:


[SNORT_SERVICE] Successfully added the Snort service to the Services


This installs Snort as a service; however, it doesn't set the service to Automatic so that it starts on boot, and it doesn't start the service either. You need to do both manually through the Windows Service manager. This is accessed through the Services shortcut under Administrative Tools in the Windows Control Panel. Scroll down the services list until you get to Snort, right-click, and then select Properties. Change the Startup type: from Manual to Automatic to get it to restart at boot, and click on the Start button under Service status to start it up immediately.

To check the status of a Snort service, and to see which options it is being passed, you need to make use of the /SHOW switch.

C:Snortin>snort /SERVICE /SHOW

which should produce the following output:

Snort is currently configured to run as a Windows service using the

Following command-line parameters:

 -de -c c:Snortetcsnort.conf -l c:snortlog -i1

And if you decide that you no longer wish for Snort to run as a service, you can remove it by using the /UNINSTALL switch.


Which gives the following output:

[SNORT_SERVICE] Attempting to uninstall the Snort service.

[SNORT_SERVICE] Successfully removed registry keys from:


[SNORT_SERVICE] Successfully removed the Snort service from the

Services database.

At this point, you should reboot to ensure that the service is properly removed.

To use the automated restarting features of services, you need to change the options that are under the Recovery tab in the Service Properties window that you managed to open earlier by right-clicking on the service. Here you can specify the action to be taken on the first, second, and subsequent failures of the service.

For further information on this, you should read the documentation for your version of Windows.

See Also

Recipe 1.4

Capturing Without Putting the Interface into Promiscuous Mode

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: