Re: snort/Barnyard startup script

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

this is the way I have it added in my script, maybe u can use it 
(remember to adopt it for your system):

...
################################################################################
# General constants 

#
# Snort binary
SNORT="/usr/local/bin/snort"
BY="/usr/local/bin/barnyard"
PIDOF="/sbin/pidof"
ECHO="/bin/echo"
RM="/bin/rm"
KILL="/bin/kill"
SLEEP="/bin/sleep"
# 
       #
################################################################################


################################################################################
# Barnyard constants 
       #
# Barnyard configuration file
BY_CFG="/etc/snort/barnyard.conf"

# Spoolfile, the file where Snort is logging the alerts. Must be same as in
# Snort configuration file. The appended time is detected automatically 
by BY.
BY_SPOOL="/var/log/snort/unified.log"

# Path to the sid-msg.map file. The file where the reference to the specific
# vulnerabilities is stored so we can find further information on alerts.
SID="/etc/snort/sid-msg.map"


# Path to the "waldo" file. That is, where Barnyard will save the actual 
state.
# If BY has been restarted, it will not try to log the alerts already being
# logged.
BY_WALDO="/var/log/snort/waldo.barnyard"

# 
       #
################################################################################

...

# Starting Barnyard...
$ECHO "Starting Barnyard logging facility..."

# Find out if Snort is already running
BY_PID=$($PIDOF "$BY")

if [ -z "$BY_PID" ]
then
        "$ECHO" "No Barnyard instances available!"
        "$ECHO" "Continuing and removing old pidfiles if there..."
        # delete old pidfiles if there
        "$RM" -f /var/run/by.pid > /dev/null 2>&1
else
        # BY instance(s) found
        "$ECHO" "Barnyard already running!"
        "$ECHO" "Please call "stop" or "restart" first!"
        # Error
        exit 1
fi

# No BY instances running and no old pidfiles there

"$ECHO" "Starting Barnyard now..."
"$BY" -c "$BY_CFG" -f "$BY_SPOOL" -s "$SID" -w "$BY_WALDO"
# wait a second or two...
"$SLEEP" 2

BY_PIDFILE=$(cat /var/run/by.pid)
BY_PID=$($PIDOF $BY)

if [ ! -z "$BY_PIDFILE" -a ! -z "$BY_PID" ]
then
        $ECHO "Barnyard running now with PID $BY_PID."
else
        "$ECHO" -e "ERROR!\n"
        "$ECHO" "An error occured! Barnyard is not running!"
        exit 1
fi

Regards,
Edin

Patrick S. Harper wrote:

> There is a file called S99snort in the contrib dir where you uncompressed
> the snort source files.  Copy that to /etc/init.d and create a symlink in
> the run levels you want to run it in.  For barnyard I just modified the
> snort init script, or you can just put it in rc.local (it would be better to
> use a script though) 
>
>
>
>
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
>
> www.ntsug.org - Snort Users Group
>
> "If there is no light at the end of the tunnel, get down there and light the
> damn thing yourself!"
>  
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mike Cohen
> Sent: Tuesday, July 06, 2004 9:34 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] snort/Barnyard startup script
>
> Hello, 
>
> Im fairly new to LInux, and have been tasked with building a snort sensor
> for our network.
>
> I have Suse 9 , snort 2.12 with  Barnyard 0.2.0 and mysql up and running. 
>
> None of the services (apache/mysql/barnyard/snort) are running when I start
> the server.
>
> I see that I can add apache and mysql to the various runlevels using Yast,
> but Im not quite sure how exactly to script the startup of snort and
> barnyard.
>
> Ive seen references to snortd, but I cant seem to find any definitive
> references to make snort a Daemon, other than the command line switch which
> would mean Id have to have it in a script somewhere.
>
> I have no experience with startup scripting of any kind other than dumping
> one liners in rc.local.
>
> I see that startup scripts would go in the appropriate runlevel folder, but
> is a startup script as simple as just typing in the  snort start command
> with the proper switches, saving it a s afile and dumping it in the right
> rc.3, and
> rc.5 directories? From what I can gather there is more to it, and it looks
> like it involves some C coding (which I dont know).
>
> Can somone point me to the right direction? all the books mention using some
> runlevel editor tool, but that doesnt seem to apply to snort, since its not
> a distro installed service.
>
> any help or insight appreciated.
> thanks.
>
> Mike C.
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
> defense, top technical experts, no vendor pitches, unmatched networking
> opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>  
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>  
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Edin Dizdarevic
Networking Development
System Developer

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users