Snort mailing list archives
Re: Multiple Instances of Snort and Barnyard2 Startup script
From: beenph <beenph () gmail com>
Date: Tue, 4 Sep 2012 17:24:39 -0400
On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds () gmail com> wrote:
In case anyone is interested, I modified a start script I found on a forum somewhere to start multiple instances of snort and barnyard2. My setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the last four cores in my 16 core system listening to a single span port from two Juniper switches. I also attached the configs for snort and barnyard2.
Make sure you have multiple by2 configuration with a different instance name so you do run into cocurency issue if you log to database. -elz
#! /bin/sh # ### BEGIN INIT INFO #---------- begin section for chkconfig support ----- # chkconfig: - 93 83 # description: Snort and Barnyard2 Sniffer # processname: snortbarn # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf # pidfile: /var/run/snort/ #---------- end section for chkconfig support ----- #---------- begin section for debian dynamic start scripts ----- # Provides: snortbarn # Required-Start: $remote_fs $syslog mysql # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start Snort and Barnyard #--------- end section for debian dynamic start scripts ----- ### END INIT INFO #/lib/init/vars.sh /lib/lsb/init-functions . /etc/rc.d/init.d/functions # added to support the status function in CentOS do_start() { #log_daemon_msg "Starting Snort and Barnyard" "" # Make sure mysql has finished starting ps_alive=0 while [ $ps_alive -lt 1 ]; do pidfile=/var/run/mysqld/mysqld.pid if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi #echo "sleeping" >&2 sleep 1 done # numbers in COUNTER represent the core to which snort binds itself for COUNTER in 12 13 14 15; do /usr/local/bin/snort -D -u root -g snort -c /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul -D #log_end_msg 0 done return 0 } do_stop() { #log_daemon_msg "Stopping Snort and Barnyard" "" kill $(pidof snort) 2> /dev/nul kill $(pidof barnyard2) 2> /dev/nul sleep 5 #log_end_msg 0 return 0 } #do_status() { # # some lines to display status of running snort processes # #} case "$1" in start) do_start ;; stop) do_stop ;; restart) do_stop sleep 10 do_start ;; status) status snort status barnyard2 RETVAL=$? ;; *) echo "Usage: snort-barn {start|stop|restart|status}" >&2 exit 3 ;; esac exit 0 -- _____________________________________ ---- In the end Nerds will Rule the World ---- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Instances of Snort and Barnyard2 Startup script Jack (Sep 04)
- Re: Multiple Instances of Snort and Barnyard2 Startup script beenph (Sep 04)
- Re: Multiple Instances of Snort and Barnyard2 Startup script Jack (Sep 07)
- Message not available
- Re: Multiple Instances of Snort and Barnyard2 Startup script Jack (Sep 07)
- Re: Multiple Instances of Snort and Barnyard2 Startup script Jack (Sep 07)
- Re: Multiple Instances of Snort and Barnyard2 Startup script beenph (Sep 04)