Re: Snort Restarter and Crash Logger (was Re: Re: Log file problem)

[Dragos Ruiu <dr () kyx net>]

Way good suggestion. The path looks multiplatform to me.
Once you hit Solaris, (Open, Free...)BSD, Linux your're 
pretty universal... I'm not logged into a HPUX or AIX box 
to check now but this is a groovy mod. 

thanks,
--dr

--kyx--
#!/bin/sh
#snorthup: Snort Restarter and Crash Logger 
#(dr () kyx  net with help from kmaxwell () superpages com)  
$conf = "snort.conf"
for $IFACE in fxp0 fxp1
do
     if [ -f /var/run/snort_$IFACE.pid ]; then
         if !  ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
               /usr/bin/logger -p user.notice snorthup: removing bogus pidfile
               /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i
               rm -f /var/run/snort_$IFACE.pid
               /usr/local/bin/snort -D -c $conf -i $IFACE
         fi;
     else
         /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf
         /usr/local/bin/snort -D -c $conf -i $IFACE     
     fi 
done

--kyx--

On Tue, 07 Aug 2001, Kyle R Maxwell wrote:
> Just a suggestion: logger is probably a better way to go than just
> writing to /var/log/messages, since a lot of folks probably use a syslog
> server instead. Something like 
>
> /usr/bin/logger -p auth.notice "put your message here"
>
> works really well. I think logger is available on all platforms; this is
> from Solaris (the path could be wrong too, that's off the top of my
> head).
>
> But that's a really useful script, and a lot more lightweight than
> daemontools!
>
> On Mon, 6 Aug 2001, Dragos Ruiu wrote:
>
> > I too find daemontools a bit of overkill for this problem.  Here is a little 
> > shell script excerpt that you can run from crontab once a minute
> > or once every couple of minutes to restart dead snorts and it will 
> > also log crashes so you know about them:
> >
> > #!/bin/sh
> > $i = "snort.conf"
> > for $IFACE in fxp0 fxp1
> > do
> >     if [ -f /var/run/snort_$IFACE.pid ]; then
> >         if !  ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
> >               echo `date` snorthup: removing bogus pidfile >>/var/log/messages
> >               echo `date` snorthup: restarting absentee snort on $IFACE with conf file $i >>/var/log/messages
> >
> >               rm -f /var/run/snort_$IFACE.pid
> >               /usr/local/bin/snort -D -c $i -i $IFACE
> >         fi;
> >       else
> >            echo `date` snorthup: restarting snort on $IFACE with conf file $i >>/var/log/messages
> >             /usr/local/bin/snort -D -c $i -i $IFACE
> >       fi
> > done
> >         
>
> -- 
> Kyle Maxwell
> kmaxwell () superpages com
> SuperPages.com Sys Admin
-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users