In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update. In this article, we will finalize the configuration of our Snort service by creating systemD scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 14, you should go see my Upstart article instead of this article.
Ubuntu 16 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.
To create the Snort systemD service, use an editor to create a service file:
sudo vi /lib/systemd/system/snort.service
with the following content (change ens160 if different on your system):
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable snort
And start the Snort service:
sudo systemctl start snort
Verify the service is running
systemctl status snort
Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:
sudo vi /lib/systemd/system/barnyard2.service
With the following content:
[Unit] Description=Barnyard2 Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable barnyard2
And start the barnyard2 service:
sudo systemctl start barnyard2
Verify the service is running
systemctl status barnyard2
Reboot the computer and check that both services are started
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
If both services are running, you are ready to move to the next section, where you will install BASE, a web-based GUI to view and profile alert data: Installing BASE
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update. In this article, we will finalize the configuration of our Snort service by creating systemD scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 12 or 14, you should go see my Upstart article instead of this article.
Ubuntu 15 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.
To create the Snort systemD service, use an editor to create a service file:
sudo vi /lib/systemd/system/snort.service
with the following content (change eth0 if different on your system):
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable snort
And start the Snort service:
sudo systemctl start snort
Verify the service is running
systemctl status snort
Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:
sudo vi /lib/systemd/system/barnyard2.service
With the following content:
[Unit] Description=Barnyard2 Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable barnyard2
And start the barnyard2 service:
sudo systemctl start barnyard2
Verify the service is running
systemctl status barnyard2
Reboot the computer and check that both services are started
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
If both services are running, you are ready to move to the next section, where you will install Snorby, a web-based GUI to view and profile alert data. The instructions are broken up into three different versions, based on the version of Ubuntu you are running.
Choose one of the following:
Ubuntu 12: Installing Snorby on Ubuntu 12
Ubuntu 14: Installing Snorby on Ubuntu 14
Ubuntu 15: Installing Snorby on Ubuntu 15