Snort mailing list archives
RE: PID problem
From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Wed, 27 Aug 2003 17:56:29 -0400
I'm running on RH 8.0 and using this as my /etc/init.d/snort startup script (cobbled from several other sources) - seems to be running fine. I have separate rules subdir and log files for each instance, but the binary used to run them is the same. I have files of the format /var/run/snort_eth#.pid . Note: I start and stop them all at the same time, but this could be fleshed out a bit more to allow individual instances to be controlled: #!/bin/sh # # snort Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that # currently detects more than 1100 host and network # vulnerabilities, portscans, backdoors, and more. # # revision history: # 2003 Aug 04 - Gordon Cunningham # - initial attempt # # instructions: Comment out interfaces not in use in both the start and stop # paragraphs. Eth0 is assumed to be the mgmt interface (already up). # # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Starting snort-eth0: " cd /var/log/snort /usr/local/bin/snort -d -D -u user -g user \ -c /etc/snort/snort-eth0.conf -i eth0 touch /var/lock/subsys/snort-eth0 echo echo -n "Starting snort-eth1: " ifconfig eth1 up promisc cd /var/log/snort /usr/local/bin/snort -d -D -u user -g user \ -c /etc/snort/snort-eth1.conf -i eth1 touch /var/lock/subsys/snort-eth1 echo echo -n "Starting snort-eth2: " ifconfig eth2 up promisc cd /var/log/snort /usr/local/bin/snort -d -D -u user -g user \ -c /etc/snort/snort-eth2.conf -i eth2 touch /var/lock/subsys/snort-eth2 echo # echo -n "Starting snort-eth3: " # ifconfig eth3 up promisc # cd /var/log/snort # /usr/local/bin/snort -d -D -u user -g user \ # -c /etc/snort/snort-eth3.conf -i eth3 # touch /var/lock/subsys/snort-eth3 # echo # # echo -n "Starting snort-eth4: " # ifconfig eth4 up promisc # cd /var/log/snort # /usr/local/bin/snort -d -D -u user -g user \ # -c /etc/snort/snort-eth4.conf -i eth4 # touch /var/lock/subsys/snort-eth4 # echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort-eth* ifconfig eth1 down ifconfig eth2 down # ifconfig eth3 down # ifconfig eth4 down echo ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 - Gordon "The software said it requires Windows 98 or better, so I installed Linux..." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of JP Vossen Sent: Monday, August 25, 2003 7:56 PM To: snort-users () lists sourceforge net Cc: pauls () utdallas edu Subject: RE: [Snort-users] PID problem <SNIP> I saw several follow-up posts but it was not clear to me if this has been totally solved. If not, an alternative to hacking the source would be to create symlinked snort binaries with a new name. That worked for my multi-instance sensor (-R is not in the man page, and I missed it in -h), but YMMV. IIRC, I had more of a problem with /var/lock/subsys/ than with /var/run/snort*.pid files. I am using different interfaces, so the PID files get created with those OK. No so with the lockfiles. I also had to re-write /etc/init.d/snortd a bit. To be honest, I don't really remember all the details except that no matter what I did (again, w/o -R) I could not get it to work the way I wanted without the "renamed" binary files. Still, some messing with symlinks is easier than hacking the source code. JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PID problem Schmehl, Paul L (Aug 22)
- Re: PID problem Bryan Irvine (Aug 22)
- Re: PID problem Edin Dizdarevic (Aug 22)
- Re: PID problem Ralf Spenneberg (Aug 23)
- <Possible follow-ups>
- RE: PID problem Schmehl, Paul L (Aug 22)
- Re: PID problem Edin Dizdarevic (Aug 22)
- RE: PID problem Schmehl, Paul L (Aug 22)
- RE: PID problem JP Vossen (Aug 27)
- RE: PID problem Paul Schmehl (Aug 25)
- RE: PID problem Gordon Cunningham (Aug 27)