Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #2581 - 7 msgs

From: Robert Young <kwailoe () pacbell net>
Date: Mon, 16 Dec 2002 10:01:09 -0800
You wrote:

Message: 1
From: "Don" <Don () WeberOnTheWeb com>
To: <snort-users () lists sourceforge net>
Date: Fri, 13 Dec 2002 10:54:14 -0800
Subject: [Snort-users] stopping snort

Has anyone found a way to stop snort, automatically, what i want to do is
have snort stop, if it gets more than 'x' alerts in a single hour, or some
time frame, then of course email me that it has stopped. i do go to syslog
with alerts. any suggestions. I have a particular sensor that periodically
starts alerting on something, that just causes a round robin effect, and
fills up the logs with the same error over and over and over, it gets really
boring actually. 'if' i can open the log. the logs have became as large as
2gig on occasion.

#!/bin/sh
# Robert Young
# start and stop snort IDS
# chkconfig:  345 85 15
#     Starts and stops snort -swiped from init.d
# processname: snort
# pidfile: /var/run/IDS.pid

# Source function library
 .   /etc/rc.d/init.d/functions

# See how we were called
case "$1" in
 start)
    echo -n "Starting IDS: "
/usr/local/snort -A full -D -c /etc/rules/snort.conf
    echo
    touch /var/lock/susbsys/IDS
    pidof snort > /var/run/IDS.pid
    ;;
 stop)
    echo -n " Shutting down IDS: "
    [ -f /var/run/IDS.pid ]  && {
        kill -9 `cat .var/run/IDS.pid`
        exho -n IDS

    }
    echo
    rm -f /var/lock/susbsys/IDS
    rm -f /var/run/IDS.pid
    ;;
 status)
            status IDS
            ;;
 restart)
            $0 stop
            $0 start
            ;;
*)
            echo "Usage: {start | stop | restart | status}"
            exit 1
esac
exit 0

make the script executable and place it in /etc/rc.d/init.d.   You may  be able to write a script that reacts to 
certain conditions.  for example I have used swatch to monitor my alert logs and page me when it detects hostile 
traffic exiting my network.  swatch can excute the above script as well.  You  will need to edit the obvious commands 
to fit
your set up.

This has worked with red hat 7.3

Bob Young



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: