Snort mailing list archives
Re: Ubuntu 8 /etc/rc.local issue
From: Tommie Giles <tgiles () gmail com>
Date: Fri, 7 Aug 2009 16:20:00 -0500
Yep, you can run multiple instances of Snort, as long as there's one
per interface.
For me, I took the lazy route and have this in my /etc/init.d/snort:
for i in `/sbin/ifconfig | grep eth | /usr/bin/awk ' { print $1 } '`
do
/usr/local/bin/snort -i $i -c /etc/snort/snort.conf -D -F
/etc/snort/excludes.conf &
echo "starting snort for $i with PID $!"
done
This will grab a list of all running interfaces (but not bonded ones,
which are normally named bond0, bond1, etc over here), and run Snort
against them.
One stop shopping.
tom
On Fri, Aug 7, 2009 at 4:01 PM, Ams<ams.sec () gmail com> wrote:
I should be able to run 2 instances of Snort (one for each interface) and Barnyard in Daemon mode? Is that correct? Thanks for your time. On Fri, Aug 7, 2009 at 3:31 PM, Michael Boman <michael.boman () gmail com> wrote:Run snort in daemon mode, your system is still waiting for the snort process to complete. Best regards Michael Boman On Fri, Aug 7, 2009 at 22:10, Ams <ams.sec () gmail com> wrote:Hi Guys, I am trying to run snort at boot time automatically. Using Ubuntu 8- Snort, barnyard compiled from source, 3 interfaces in total- 2 interfaces for NIDS and 1 for management. I edited the /etc/rc.local file and added the following lines: Contents of /etc/rc.local ------------------------------------------------------------------ ifconfig eth0 up promisc /usr/local/bin/snort -c /etc/snort.conf -i eth0 sudo /usr/local/bin/barnyard2 -c /etc/snort/barn2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo ifconfig eth1 up promisc /usr/local/bin/snort -c /etc/snort.conf -i eth1 sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo ------------------------------------------------------------------------ When I do ps -aux|grep snort on startup, all I see running is /usr/local/bin/snort -c /etc/snort.conf -i eth0. Why didn't the remaining commands execute? Will appreciate your input. Thanks a bunch. Ams ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- http://michaelboman.org - Security Blog & Wiki-- Amit Bakhshi Associate of (ISC)2 in CISSP, GPEN, GCIH, GWAS, GSEC, GISF, SSP-GHD, MCP, SCJA ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Tommie Giles "If all else fails, immortality can always be assured by spectacular error." ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ubuntu 8 /etc/rc.local issue Ams (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Michael Boman (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Ams (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Tommie Giles (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Ams (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Ams (Aug 07)
- Re: Ubuntu 8 /etc/rc.local issue Michael Boman (Aug 07)