Re: list archives...

[Max Valdez <maxvalde () servm fc uaem mx>]

Hi

Here is what I use, no deamonstools, just a cron job to see if snort is
running every once in a while.

looks simple, and maybe silly, but it works very well for me, besides, if
snort dies and the script restart it, I get an email telling me so.

In my opinion a deamontool is very good for stable known programs, but if ur
dealing with security u can't be that confident, specially on a anti-ids
attack. you need to know if the process has been working constantly, and you
really need to know if snort dies for any given reason (misconfiguration is
the most common in my case)

hope my two mexican cents help

Max

p.s. BTW my script monitors guardian too

#!/bin/sh
#Monitor de snort, util para poner en crontab
# agrega la siguiente linea a crontab
# 0-58/15 * * * * /usr/sbin/snort-mon.sh
#
if [ ! -f /var/run/snort_eth0.pid ] ;then
    date
    echo "corriendo snort"
    /etc/init.d/snort start
else
  pid=`cat /var/run/snort_eth0.pid`
  run=`ps --pid $pid|tail -1|awk '{print $4}'`
# echo $run
  if [ "$run" != "snort" ] ; then
    echo "corriendo snort"
    /etc/init.d/snort start
  fi
  run=`ps -efl|grep guar|grep -v grep|sed -e 's/\// /g'|awk '{print $21}'`
  if [ "$run" != "guardian.pl"
    /etc/init.d/guardian start
  fi
fi



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users