Snort mailing list archives

RE: Newbie Question

From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Fri, 25 Apr 2003 15:07:03 -0400

If you did a source install, look in the snortsource/contrib folder for
S99snort -  do a 

cp S99snort /etc/init.d/snort
cd /etc/init.d   (Now edit the file to your config - interface name - snort
* group name (nobody on my box))
* make sure its executable (chmod 755 snort)
cd /etc/rc3.d
ln -s ../init.d/snort S99snort
cd /etc/rc5.d
ln -s ../init.d/snort S99snort

Now snort will start on boot, and you can gracefully kill it with PID
tracking by issuing

/etc/init.d/snort stop  (or start or restart - if you just updated your
rules)

Your mileage may vary - runs great on RedHat 7.3, 8.- and 9.0 - If you did
an rpm install your out of luck, I'd guess it would auto install this script
but I'm not sure because I don't do rpm's of software I change a lot.

Enjoy,

Mike Pacheco


-----Original Message-----
From: Wilcoxen, Scott [mailto:SWilcoxen () macf com] 
Sent: Friday, April 25, 2003 2:38 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Newbie Question

I'm relatively new to both Snort and Linux, so please bear with me here.  I
have got snort setup on two separate machines.  One machine is listening to
traffic on the outside of my firewall and the other on the inside.  On a
third machine I've got a MySQL database to which I'm logging alerts.  I've
setup an apache web server on this machine as well and am using ACID to view
the alerts being logged.  My sensors are logging all packets in binary tcp
dump format on the local hard drive.  I would like to setup a cron job to
move these logs to another machine everyday so that the hard drives on my
sensors don't fill up.  I'm starting snort in daemon mode and noticed that
when I move the logs it doesn't seem to start another one.  So my theory was
that if I stop snort, move the logs, and restart snort I would be ok. 
Problem is I can't find a way to stop snort short of issuing a 'kill pid'. 
I want to script all of this.  Any suggestions?  



Scott S Wilcoxen
Macfadden & Associates, Inc.
Office: 301.562.3046
Mobile: 410.688.2813
Fax: 301.588.0390
Email: SWilcoxen () macf com
www.macf.com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie question Chris (Apr 21)
- Re: Newbie question Erick Mechler (Apr 21)
- Re: Newbie question (FAQ 4.3 update requested) Matt Kettler (Apr 21)
- <Possible follow-ups>
- RE: Newbie question Potts, Ross A. (Apr 23)
- Newbie Question Wilcoxen, Scott (Apr 25)
- RE: Newbie Question Pacheco, Michael F. (Apr 25)
- RE: Newbie Question Wilcoxen, Scott (Apr 27)