Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PID problem

From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Wed, 27 Aug 2003 17:56:29 -0400
I'm running on RH 8.0 and using this as my /etc/init.d/snort startup script
(cobbled from several other sources) - seems to be running fine.  I have
separate rules subdir and log files for each instance, but the binary used
to run them is the same.  I have files of the format /var/run/snort_eth#.pid
.  Note:  I start and stop them all at the same time, but this could be
fleshed out a bit more to allow individual instances to be controlled:

#!/bin/sh
#
# snort         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
#               currently detects more than 1100 host and network
#               vulnerabilities, portscans, backdoors, and more.
#
# revision history:
#       2003 Aug 04 - Gordon Cunningham
#        - initial attempt
#
# instructions: Comment out interfaces not in use in both the start and stop
#               paragraphs.  Eth0 is assumed to be the mgmt interface
(already up).
#


# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort-eth0: "
        cd /var/log/snort
        /usr/local/bin/snort -d -D -u user -g user \
                -c /etc/snort/snort-eth0.conf -i eth0
        touch /var/lock/subsys/snort-eth0
        echo

        echo -n "Starting snort-eth1: "
        ifconfig eth1 up promisc
        cd /var/log/snort
        /usr/local/bin/snort -d -D -u user -g user \
                -c /etc/snort/snort-eth1.conf -i eth1
        touch /var/lock/subsys/snort-eth1
        echo

        echo -n "Starting snort-eth2: "
        ifconfig eth2 up promisc
        cd /var/log/snort
        /usr/local/bin/snort -d -D -u user -g user \
                -c /etc/snort/snort-eth2.conf -i eth2
        touch /var/lock/subsys/snort-eth2
        echo

#       echo -n "Starting snort-eth3: "
#       ifconfig eth3 up promisc
#       cd /var/log/snort
#       /usr/local/bin/snort -d -D -u user -g user \
#               -c /etc/snort/snort-eth3.conf -i eth3
#       touch /var/lock/subsys/snort-eth3
#       echo
#
#       echo -n "Starting snort-eth4: "
#       ifconfig eth4 up promisc
#       cd /var/log/snort
#       /usr/local/bin/snort -d -D -u user -g user \
#               -c /etc/snort/snort-eth4.conf -i eth4
#       touch /var/lock/subsys/snort-eth4
#       echo
        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort-eth*
        ifconfig eth1 down
        ifconfig eth2 down
#       ifconfig eth3 down
#       ifconfig eth4 down
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0




- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of JP Vossen
Sent:   Monday, August 25, 2003 7:56 PM
To:     snort-users () lists sourceforge net
Cc:     pauls () utdallas edu
Subject:        RE: [Snort-users] PID problem

<SNIP>

I saw several follow-up posts but it was not clear to me if this has been
totally solved.

If not, an alternative to hacking the source would be to create symlinked
snort binaries with a new name.  That worked for my multi-instance sensor
(-R
is not in the man page, and I missed it in -h), but YMMV.

IIRC, I had more of a problem with /var/lock/subsys/ than with
/var/run/snort*.pid files.  I am using different interfaces, so the PID
files
get created with those OK.  No so with the lockfiles.  I also had to
re-write
/etc/init.d/snortd a bit.

To be honest, I don't really remember all the details except that no matter
what I did (again, w/o -R) I could not get it to work the way I wanted
without
the "renamed" binary files.

Still, some messing with symlinks is easier than hacking the source code.
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: