Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 5.6 Is it possible Up: 5 Getting Fancy Previous: 5.4 How can I

5.5 How to start Snort as a win32 service?

  1. You must use complete paths for everything. This means EVERYTHING: Command line, configuration files, everything.

    Examples: All include statements must be full paths:

    WRONG: include scan-lib

    CORRECT: include C:\( \backslash \)snort\( \backslash \)scan-lib

    All command line options must be full paths:

    WRONG: snort.exe -l ./log

    CORRECT: snort.exe -l C:\( \backslash \)snort\( \backslash \)log

  2. YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND LINE (-l switch). If you do not set a logging directory the service will not start and, on NT/Win2k, your bootup will hang for about 4 minutes.
  3. Make sure that snort runs correctly from the command line, without yet worrying about any service related issues. Test that all of your desired command line parameters are causing snort to function as you expect, such as correctly generating logging and alert output. If you can't get this part to work, then you don't have much hope of snort miraculously starting to work as a service.
  4. Once you have step (3) running correctly, modify the command line parameters you used in step (3) to include the additional parameters ``/SERVICE /INSTALL.'' For example, if your command line in step (3) was: 
           snort -i1 -lC:\( \backslash \)snort\( \backslash \)log -cC:\( \
        backslash \)snort\( \backslash \)snort.conf
    then you should change it to be: 
            snort /SERVICE /INSTALL -i1 -lC:\( \backslash \)snort\( \backslash \)
        log -cC:\( \backslash \)snort\( \backslash \)snort.conf
    Verify that the command line parameters were received correctly by running the command `snort /SERVICE /SHOW.'
  5. Start the service by running the command: 
            net start snortsvc
    Note that versions 1.9 (build 228), 2.0 (build 50), or any versions newer than these, will add entries to the Win32 event Log if there is ever a problem starting the service. Stop the service by running the command: 
            net stop snortsvc
  6. The service can be uninstalled by running the command: 
            snort /SERVICE /UNINSTALL

next up previous
Next: 5.6 Is it possible Up: 5 Getting Fancy Previous: 5.4 How can I
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.