Snort3 (Systemd)

Running and Testing

    [root]# chown -R snort:snort /usr/local/snort
    [root]# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
                --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort
                -D -u snort -g snort --create-pidfile -k none --warn-all

    [root]# ps aux | grep snort

        snort  943449 ...  /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
        --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort -D -u snort -g snort
        --create-pidfile -k none --warn-all

    [root]# killall snort

Systemd

    ・Unit file

    [root]# vim /usr/lib/systemd/system/snortd.service

      [Unit]
      Description=Snort 3 Intrusion Detection and Prevention service
      After=syslog.target network.target

      [Service]
      Type=simple
      ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua \
                            --plugin-path /usr/local/snort/extra -i eth0 -l /var/log/snort \
                            -D -u snort -g snort --create-pidfile -k none
      ExecReload=/bin/kill -SIGHUP $MAINPID
      User=snort
      Group=snort
      Restart=on-failure
      RestartSec=5s

      PrivateDevices = true
      PrivateMounts = true
      PrivateTmp = true
      RestrictNamespaces = true
      ProtectControlGroups = true
      ProtectKernelModules = true
      ProtectKernelTunables = true
      ProtectKernelLogs = true
      ProtectClock = true
      ProtectHome = true
      ReadWritePaths = /usr/local/snort /var/log/snort
      ProtectSystem = true
      ProtectHostname = true
      NoNewPrivileges = true
      ProtectProc = noaccess
      RestrictSUIDSGID = true
      SystemCallArchitectures = native
      SystemCallFilter=~@debug
      SystemCallFilter=~@swap
      SystemCallFilter=~@clock
      SystemCallFilter=~@module
      SystemCallFilter=~@raw-io
      SystemCallFilter=~@reboot
      SystemCallFilter=~@obsolete
      SystemCallFilter=~@cpu-emulation
      RestrictRealtime = true
      LockPersonality = true
      RemoveIPC = true
      PrivateIPC = true
      UMask = 0077
      CapabilityBoundingSet = CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK
      AmbientCapabilities = CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK

      [Install]
      WantedBy=multi-user.target

    [root]# cp -v /usr/lib/systemd/system/snortd.service /etc/systemd/system

    ・Reload systemd

    [root]# systemctl daemon-reload

    ・Start the service

    [root]# systemctl { start stop reload-or-restart status } snortd

    ・Enable the service

    [root]# systemctl { enable disable } snortd

    ・Enable and start the service

    [root]# systemctl enable --now snortd

    ・Disable and stop the service

    [root]# systemctl disable --now snortd

    ・Confirm

    [root]# ps aux | grep snort
    [root]# systemctl -l status snortd.service