UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Installing Snort
2. Configure Snort to Run as a NIDS
3. Writing and Testing a Single Rule With Snort
4. Installing Barnyard2
5. Installing PulledPork
6. Installing BASE
7. Creating Startup Scripts
8. Conclusion

Overview

In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update.  In this article, we will finalize the configuration of our Snort server by creating startup scripts for the Snort and Barnyard2 daemons. We will use Upstart for Ubuntu 12 and 14, and systemD for Ubuntu 15.

Skip down to the Ubuntu 15 systemD scripts.

Creating the Upstart Scripts for Ubuntu 12 and 14

This section is ror Ubuntu 12 and 14. If you are using Ubuntu 15, skip this section and go to the next section titled “Creating a systemD startup script in Ubuntu 15”.

First create the Snort daemon script:

sudo vi /etc/init/snort.conf

We will insert the below content into this Upstart script.  Note that we are using the same flags that we used in earlier articles, so if Snort ran correctly for you earlier, then you shouldn’t need to change any of these flags:

description "Snort NIDS service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script

Now make the script executable, and tell Upstart that the script exists:

sudo chmod +x /etc/init/snort.conf
initctl list | grep snort
	snort stop/waiting

do the same for our Barnyard2 script:

sudo vi /etc/init/barnyard2.conf

with the following content:

description "barnyard2 service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script

Now make the script executable, and tell Upstart that the script exists:

sudo chmod +x /etc/init/barnyard2.conf
initctl list | grep barnyard
	barnyard2 stop/waiting

Reboot the computer and check that both services are started:

user@snortserver:~$ service snort status
snort start/running, process 1116
user@snortserver:~$ service barnyard2 status
barnyard2 start/running, process 1109
user@snortserver:~$

Congratulations, if you have output similar to the above then you have sucessfully Configured an entire Snort NIDS. Continue to the next section to learn how to Configuring Promiscuous Mode for ESXi and for our wrap up (or continue below to use Ubuntu 15 systemD startup scripts).

Creating a systemD startup script in Ubuntu 15

Ubuntu 15 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.
To create the Snort systemD service, use an editor to create a service file:

sudo vi /lib/systemd/system/snort.service

with the following content (change eth0 if different on your system):

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install]
WantedBy=multi-user.target

Now we tell systemD that the service should be started at boot:

sudo systemctl enable snort

And start the Snort service:

sudo systemctl start snort

Verify the service is running

systemctl status snort

Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:

sudo vi /lib/systemd/system/barnyard2.service

With the following content:

[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
[Install]
WantedBy=multi-user.target

Make the script executable and check to see that it installed correctly:

user@snortserver:~$ sudo chmod +x /etc/init/barnyard2.conf
user@snortserver:~$ initctl list | grep barnyard
barnyard2 stop/waiting
user@snortserver:~$

Now we tell systemD that the service should be started at boot:

sudo systemctl enable barnyard2

And start the barnyard2 service:

sudo systemctl start barnyard2

Verify the service is running

systemctl status barnyard2

Reboot the computer and check that both services are started

user@snortserver:~$ service snort status
snort start/running, process 1116
user@snortserver:~$ service barnyard2 status
barnyard2 start/running, process 1109
user@snortserver:~$

Congratulations, if you have output similar to the above then you have sucessfully Configured an entire Snort NIDS. Continue to the next section to learn how to Configuring Promiscuous Mode for ESXi and for our wrap up.