Snort mailing list archives

Previous By Date Next
Previous By Thread Next

network shutdown on certain alerts

From: "Jason K. Boykin" <jboykin () summit-research-corp com>
Date: Mon, 21 Jul 2003 15:22:29 -0500
Hi all,
Ive been asked to have some machines go down when certain alerts are 
triggered.  2 ways Ive looked at this is writing a shell script to do this or 
modifying an existing snort log monitor such as razorback.

I dont have much coding experience but Im learning but I do have some 
scripting experience although very little with start and stop scripts such as 
this.

Currently Ive got snort logging to /var/log/snort/alert and to postgresql.  
Ive got ACID up and viewing the database and still use razorback to get 
realtime updates when Im at work testing stuff.  Ive also been using swatch 
to monitor /var/log/snort/alert to send e-mails out on priority 1 and 2 
alerts.

I was working on this shell script to get the above accomplished but I think I 
might be going about it the wrong direction.  I was planning on using swatch 
to execute the script when a matched alert is made.

#/usr/bin/sh

. /etc/rc.d/init.d/functions

case "$1" in
  start)
        wall "Priority 1 Alert Detected"
        wall "Network shutting down in 30 seconds"
        wall "Run abort script to stop shutdown"
        sleep 30
        /etc/init.d/network stop
        touch /var/lock/subsys/netdown
        echo
        ;;

    stop)
        wall "NetDown aborted "
        killproc netdown
        rm -f /var/lock/subsys/netdown
        echo
        ;;

     status)
        status netdown
        ;;
     *)

        echo "Usage: $0 {start|stop|status}"
        exit 1
esac

exit 0

The servers are on RedHat 7.3 btw.  I was asked to have a box or window pop up 
and alert anyone around about this so I figured I would use 'wall'.
/etc/init.d/network can be used to bring the network interface up and down.  
Donno if its in other distro's.

Now the problem is comming when I want to abort the lockdown.  I was going to 
put a shortcut on the desktop to stop the script sometime during the sleep if 
its caught in time.

If I can get this working I could add sound or something too if my boss 
wanted.

Can anyone help me with this or know of something already out there that can 
do the same thing or similar?  (Cant get SAM working)

Jason Boykin


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: