- Installing Snort
- Configuring Snort
- Testing Snort
- Starting Snort Automatically
- Configuring MySQL
- Managing All this Information
- Where Should You Go from Here?
Starting Snort Automatically
Snort can be started automatically on all platforms. Here's how.
Installing Snort as a Service on Win32
Snort can be configured to start as a service on Windows NT and 2000. To install Snort as a service requires two utilities from the Windows Resource Kit available from Microsoft.
SRVANY.EXE allows any program to be managed as a service. INSTSRV.EXE is a complementary program that is used to install or remove a service. Follow these steps to install Snort as a service:
From the command line, execute this command: instsrv Snort "C:\ResKit\srvany.exe"
From the Run menu, run REGEDIT to edit the Registry.
Navigate to and select the following key: HKLM\SYSTEM\CurrentControlSet\Services\Snort
Right-click and create a new key called "Parameters"
Right-click on Parameters and create two new String values called "Application" and "AppParameters", respectively.
Modify the Application string value to contain the following: c:\snort\bin\snort.exe
Modify the AppParameters string value to contain the following, including the quotation marks: "-deao –c c:\snort\rules\snort.conf –l c:\snort\rules"
From the Start menu, go to Programs, Administrative Tools, and open the Services application. Right-click on the Snort service, and click on Start.
To validate that Snort has started, launch the task manager application and view the running processes. You should see srvany.exe and snort.exe listed each time you start the Snort service, and they should both disappear when you stop the Snort service.
By default, the newly installed Snort service will start automatically.
If you do not have access to the Windows NT or 2000 Resource Kit, or you want something that has an alert status tray icon, you may wish to investigate using IDScenter. IDScenter assists you in configuring Snort, and can be configured to start automatically upon login, and launch Snort automatically as well. Unfortunately, this means you must have an account to automatically log in for Snort to start after boot.
UNIX/Linux
For BSD-derived systems, simply edit the rc.local script to execute Snort with your configured command line. Something simple, similar to the following, will work:
if [ -x /usr/local/bin/snort ]; then snort_flags="-Ddeao –c /etc/snort.conf –l /var/log/snort –i dc0" echo –n ' snort'; /usr/local/bin/snort $snort_flags fi
For SysV init type systems, you need to place a startup script in /etc/init.d/ that has all the necessary command-line options. If installing from deb or rpm packages, this file is created automatically; however, you may want to edit the init.d script to ensure that it does not override or conflict with your snort.conf settings.
The appropriate run-level links are made automatically if installed from deb or rpm packages on Linux. For other UNIX variants or installs from the source archive, you need to manually set the links up yourself.