Snort mailing list archives
Re: snort/Barnyard startup script
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 07 Jul 2004 14:02:55 +0200
Hi,this is the way I have it added in my script, maybe u can use it (remember to adopt it for your system):
... ################################################################################# General constants
# # Snort binary SNORT="/usr/local/bin/snort" BY="/usr/local/bin/barnyard" PIDOF="/sbin/pidof" ECHO="/bin/echo" RM="/bin/rm" KILL="/bin/kill" SLEEP="/bin/sleep"# #
################################################################################ ################################################################################# Barnyard constants #
# Barnyard configuration file BY_CFG="/etc/snort/barnyard.conf" # Spoolfile, the file where Snort is logging the alerts. Must be same as in# Snort configuration file. The appended time is detected automatically by BY.
BY_SPOOL="/var/log/snort/unified.log" # Path to the sid-msg.map file. The file where the reference to the specific # vulnerabilities is stored so we can find further information on alerts. SID="/etc/snort/sid-msg.map"# Path to the "waldo" file. That is, where Barnyard will save the actual state.
# If BY has been restarted, it will not try to log the alerts already being # logged. BY_WALDO="/var/log/snort/waldo.barnyard"# #
################################################################################ ... # Starting Barnyard... $ECHO "Starting Barnyard logging facility..." # Find out if Snort is already running BY_PID=$($PIDOF "$BY") if [ -z "$BY_PID" ] then "$ECHO" "No Barnyard instances available!" "$ECHO" "Continuing and removing old pidfiles if there..." # delete old pidfiles if there "$RM" -f /var/run/by.pid > /dev/null 2>&1 else # BY instance(s) found "$ECHO" "Barnyard already running!" "$ECHO" "Please call "stop" or "restart" first!" # Error exit 1 fi # No BY instances running and no old pidfiles there "$ECHO" "Starting Barnyard now..." "$BY" -c "$BY_CFG" -f "$BY_SPOOL" -s "$SID" -w "$BY_WALDO" # wait a second or two... "$SLEEP" 2 BY_PIDFILE=$(cat /var/run/by.pid) BY_PID=$($PIDOF $BY) if [ ! -z "$BY_PIDFILE" -a ! -z "$BY_PID" ] then $ECHO "Barnyard running now with PID $BY_PID." else "$ECHO" -e "ERROR!\n" "$ECHO" "An error occured! Barnyard is not running!" exit 1 fi Regards, Edin Patrick S. Harper wrote:
There is a file called S99snort in the contrib dir where you uncompressed the snort source files. Copy that to /etc/init.d and create a symlink in the run levels you want to run it in. For barnyard I just modified the snort init script, or you can just put it in rc.local (it would be better touse a script though)Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!"-----Original Message-----From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mike Cohen Sent: Tuesday, July 06, 2004 9:34 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort/Barnyard startup scriptHello,Im fairly new to LInux, and have been tasked with building a snort sensor for our network.I have Suse 9 , snort 2.12 with Barnyard 0.2.0 and mysql up and running.None of the services (apache/mysql/barnyard/snort) are running when I start the server. I see that I can add apache and mysql to the various runlevels using Yast, but Im not quite sure how exactly to script the startup of snort and barnyard. Ive seen references to snortd, but I cant seem to find any definitive references to make snort a Daemon, other than the command line switch which would mean Id have to have it in a script somewhere. I have no experience with startup scripting of any kind other than dumping one liners in rc.local. I see that startup scripts would go in the appropriate runlevel folder, but is a startup script as simple as just typing in the snort start command with the proper switches, saving it a s afile and dumping it in the right rc.3, and rc.5 directories? From what I can gather there is more to it, and it looks like it involves some C coding (which I dont know). Can somone point me to the right direction? all the books mention using some runlevel editor tool, but that doesnt seem to apply to snort, since its not a distro installed service. any help or insight appreciated. thanks. Mike C. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Edin Dizdarevic Networking Development System Developer iAS interActive Systems Gesellschaft fuer interaktive Medien mbH Dieffenbachstr. 33c 10967 Berlin Germany fon +49-(0)30 69 004-123 fax +49-(0)30 69 004-101 mail edin.dizdarevic () interActive-Systems de URL http://www.interActive-Systems.de/security ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort/Barnyard startup script Mike Cohen (Jul 06)
- RE: snort/Barnyard startup script Patrick S. Harper (Jul 07)
- Re: snort/Barnyard startup script Edin Dizdarevic (Jul 07)
- RE: snort/Barnyard startup script Patrick S. Harper (Jul 07)