Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Systemd startup script for Snort on Ubuntu 15 - systemd not reporting service status correctly
748 views
Skip to first unread message
Noah Dietrich
May 10, 2015, 4:40:21 AM5/10/15
to
Hello,
I am having some issues creating a systemd startup script for Snort 2.9.7.x on Ubuntu 15. I think the issue is related to how snort forks, and there being an issue with snort notifying systemd that it has started.
the systemd script I am using:
noah@snort$ vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
TimeoutStartSec=0
Type=forking
PIDFile=/run/snort_eth0.pid
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
[Install]
WantedBy=multi-user.target
I start snort as follows:
noah@snort:/etc/systemd$ sudo systemctl daemon-reload; sudo systemctl start snort.service --no-block
(i use no-block to return to the command prompt, otherwise it just sits there).
I then verify that snort is running (I send packets that generate alerts that show up in the database). Once i'm sure that snort is working, I check the status of the daemon with systemclt:
noah@snort:/etc/systemd$ systemctl status snort.service
● snort.service - Snort NIDS Daemon
Loaded: loaded (/lib/systemd/system/snort.service; linked; vendor preset: enabled)
Active: activating (start) since Sun 2015-05-10 10:23:24 CEST; 5min ago
Control: 14213 (snort)
CGroup: /system.slice/snort.service
└─14213 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
May 10 10:23:24 snort systemd[1]: Starting Snort NIDS Daemon...
As you can see, systemd shows the service as "Active: activating (start)", instead of what it should show, which is "Active: active (running)".
I think the issue is how systemd checks the service or startup status of snort. I know the script above works for starting snort, but i'd rather have the service correctly report it's startup status to systemd.
If you leave out "TimeoutStartSec=0" in the service file, then systemd doesn't realize that snort has started, and then kills the process after 30 seconds.
if you include "TimeoutStartSec=0", then the snort daemon starts up fine, but systemd doesn't know the correct status of snort. (setting the timeout to zero means that systemd won't kill the process if it hasn't started).
Can anyone give any recommendations?
thank you,
Noah
I am having some issues creating a systemd startup script for Snort 2.9.7.x on Ubuntu 15. I think the issue is related to how snort forks, and there being an issue with snort notifying systemd that it has started.
the systemd script I am using:
noah@snort$ vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
TimeoutStartSec=0
Type=forking
PIDFile=/run/snort_eth0.pid
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
[Install]
WantedBy=multi-user.target
I start snort as follows:
noah@snort:/etc/systemd$ sudo systemctl daemon-reload; sudo systemctl start snort.service --no-block
(i use no-block to return to the command prompt, otherwise it just sits there).
I then verify that snort is running (I send packets that generate alerts that show up in the database). Once i'm sure that snort is working, I check the status of the daemon with systemclt:
noah@snort:/etc/systemd$ systemctl status snort.service
● snort.service - Snort NIDS Daemon
Loaded: loaded (/lib/systemd/system/snort.service; linked; vendor preset: enabled)
Active: activating (start) since Sun 2015-05-10 10:23:24 CEST; 5min ago
Control: 14213 (snort)
CGroup: /system.slice/snort.service
└─14213 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
May 10 10:23:24 snort systemd[1]: Starting Snort NIDS Daemon...
As you can see, systemd shows the service as "Active: activating (start)", instead of what it should show, which is "Active: active (running)".
I think the issue is how systemd checks the service or startup status of snort. I know the script above works for starting snort, but i'd rather have the service correctly report it's startup status to systemd.
If you leave out "TimeoutStartSec=0" in the service file, then systemd doesn't realize that snort has started, and then kills the process after 30 seconds.
if you include "TimeoutStartSec=0", then the snort daemon starts up fine, but systemd doesn't know the correct status of snort. (setting the timeout to zero means that systemd won't kill the process if it hasn't started).
Can anyone give any recommendations?
thank you,
Noah
eost...@gmail.com
Oct 23, 2015, 9:33:09 PM10/23/15
to
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
[Install]
WantedBy=multi-user.target
And then checking the status shows:
[Install]
WantedBy=multi-user.target
● snort.service - Snort NIDS Daemon
Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2015-10-23 18:29:25 PDT; 1min 6s ago
Main PID: 18949 (snort)
CGroup: /system.slice/snort.service
└─18949 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
eost...@gmail.com
Oct 23, 2015, 9:34:14 PM10/23/15
to
Oct 23 18:29:25 monolith systemd[1]: Started Snort NIDS Daemon.
eost...@gmail.com
Oct 24, 2015, 12:56:04 PM10/24/15
to
0 new messages