Snort mailing list archives
Updated: Improved snortd init script
From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 24 May 2003 01:03:07 -0400 (EDT)
Added a check in case you try to execute snortd stats when Snort is not running. Otherwise the error is not very useful, especialy for a newbie. Duh.
I was messing around with kill -USR1 {snort} and wondering why that was not in the init script wrapper, so I added it. It works on my RedHat 8.0 box, but I've done no other testing. What do you think? Snort.org/Sourcefire guys: hopefully this will make the stats a little easier for those just moving to UNIX (esp. snortd stats opt). Any suggestions for improvement (it's a bit ugly right now)?
Later, JP
I hope the formatting survives my mailer...
----- Cut Here ----- #!/bin/sh # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that # currently detects more than 1100 host and network # vulnerabilities, portscans, backdoors, and more. # # June 10, 2000 -- Dave Wreski <dave () linuxsecurity com> # - initial version # # July 08, 2000 Dave Wreski <dave () guardiandigital com> # - added snort user/group # - support for 1.6.2 # July 31, 2000 Wim Vandersmissen <wim () bofh st> # - added chroot support # May 23, 2003 JP Vossen <jp () jpsdomain org> # - added stats (long|opt) option # May 24, 2003 JP Vossen <jp () jpsdomain org> # - added PID checking in case stats run when Snort is not running # Source function library. . /etc/rc.d/init.d/functions # Specify your network interface here INTERFACE=eth0 # See how we were called. case "$1" in start) echo -n "Starting snort: " cd /var/log/snort daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \ -i $INTERFACE -c /etc/snort/snort.conf touch /var/lock/subsys/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; restart) $0 stop $0 start ;; status) status snort ;; stats | statistics) tc=100 # Trailing context to grep secs=3 # Seconds to wait for syslog syslog='/var/log/messages' # Grab Snort's PID pid=`pidof -o $$ -o $PPID -o %PPID -x snort` if [ ! -n "$pid" ]; then # if we got no PID then: echo "Snort is not running." exit 2 fi echo "Dumping Snort's ($pid) statistics to screen and $syslog" echo "please wait $secs seconds..." # Get the date and tell Snort to dump stats as close together in # time as possible--100%, but it seems to work. startdate=`date '+%b %e %H:%M:%S'` && kill -USR1 $pid # Sleep for $secs secs to give syslog a chance to catch up sleep $secs # May need to be adjusted for slow/busy systems if [ "$2" = "long" ]; then # Long format egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \ grep snort: elif [ "$2" = "opt" ]; then # OPTimize format # Just show stuff useful for optimizing Snort egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \ egrep "snort: Snort analyzed |snort: dropping|emory .aults:" else # Default format egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \ grep snort: | cut -d: -f4- fi ;; *) echo "Usage: $0 {start|stop|restart|status|stats (long|opt)}" exit 1 esac exit 0 ----- Cut Here ----- ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp () jpsdomain org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updated: Improved snortd init script JP Vossen (May 23)