Snort mailing list archives
Snort & Barnyard init.d script for Debian
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Fri, 19 Mar 2010 09:46:20 -0400
Howdy fellow Snortheads, I apologize for the long post this morning, and I really hope I am not reinventing the wheel with this, but hopefully I am helping somebody out there. I retasked the /etc/init.d/snortd script for Fedora over to Debian and included some changes to control barnyard as well (this also includes a new section that I dropped into the /etc/sysconfig/snort file, so I will start here with just the additional lines to the sysconfig file: ################################################################################# #Options below are for helping snortd start Barnyard2 ###Note: If using multiple interfaces use barnyard2.ethX.conf for file names. #Directory containing the barnyard.conf file (no trailing slash). BARN_CONF=/etc/snort #Location of gen-msg.map GEN_MSG=/etc/snort/gen-msg.map #Location of sid-msg.map SID_MSG=/etc/snort/sid-msg.map #logfile prefix; ie snort.u2 ALERTFILE=snort.u2 #name of Waldo file WALDO=barnyard2.waldo And below is the reworked Debian version of the snortd script with additions to control barnyard as well: #!/bin/sh # $Id$ # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that \ # currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. # # Source function library. - COMMENTED OUT, NOT USED IN DEBIAN #. /etc/rc.d/init.d/functions # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. ##ADD the following vars: if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snort" fi if [ "$GROUP"X = "X" ]; then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi # These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]; then SYSLOG=/var/log/messages fi if [ "$SECS"X = "X" ]; then SECS=5 fi if [ ! "$BPFFILE"X = "X" ]; then BPFFILE="-F $BPFFILE" fi ######For Barnyard: #The directory where your barnyard conf(s) live. See the program calls below for expected name formatting. if [ "BARN_CONF"X = "X" ]; then BARN_CONF=/etc/snort fi #location & name of gen-msg map if [ "$GEN_MSG"X = "X" ]; then GEN_MSG=/etc/snort/gen-msg.map fi #location & name of sid-msg map if [ "$SID_MSG"X = "X" ]; then SID_MSG=/etc/snort/sid-msg.map fi #name of alert files if [ "$ALERTFILE"X = "X" ]; then ALERTFILE=snort.u2 fi #name of waldo file if [ "$WALDO"X = "X" ]; then WALDO=barnyard2.waldo fi ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G $GEN_MSG -S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP done else # check if more than one interface is given if [ `echo $INTERFACE|wc -w` -gt 2 ]; then for i in `echo $INTERFACE | sed s/"-i "//` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G $GEN_MSG -S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP done else # Run with a single interface (default) /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.conf -G $GEN_MSG -S $SID_MSG -d $LOGDIR -f $ALERTFILE -w $$LOGDIR/$WALDO -u $USER -g $GROUP fi fi touch /var/lock/subsys/snort echo ;; stop) echo -n "Stopping snort: " kill `pidof snort` kill `pidof barnyard2` rm -f /var/lock/snort echo ;; reload) echo "Reloading Snort: " kill -s HUP `pidof snort` ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/snort ] && $0 restart ;; stats) TC=125 # Trailing context to grep SNORTNAME='snort' # Process name to look for if [ ! -x "/bin/pidof" ]; then echo "/bin/pidof not present, sorry, I cannot go on like this!" exit 1 fi #Grab Snort's PID PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}` if [ ! -n "$PID" ]; then # if we got no PID then: echo "No PID found: ${SNORTNAME} must not running." exit 2 fi echo "" echo "*******" echo "WARNING: This feature is EXPERIMENTAL - please report errors!" echo "*******" echo "" echo "You can also run: $0 stats [long | opt]" echo "" echo "Dumping ${SNORTNAME}'s ($PID) statistics" echo "please wait..." # Get the date and tell Snort to dump stats as close together in # time as possible--not 100%, but it seems to work. startdate=`date '+%b %e %H:%M:%S'` # This causes the stats to be dumped to syslog kill -USR1 $PID # Sleep for $SECS secs to give syslog a chance to catch up # May need to be adjusted for slow/busy systems sleep $SECS if [ "$2" = "long" ]; then # Long format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: elif [ "$2" = "opt" ]; then # OPTimize format # Just show stuff useful for optimizing Snort egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:" else # Default format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: | cut -d: -f4- fi ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|stats (long|opt)}" exit 2 esac exit 0
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & Barnyard init.d script for Debian Crook, Parker (Mar 19)
- Re: Snort & Barnyard init.d script for Debian Crook, Parker (Mar 19)