Re: a little perl and a touch of cron

[Andreas Brenk <ab () aegisnet de>]

Hi.

Has anybody already done similar work in order to use Snort and Demarc
under Dan Bernstein's Daemontools?

This would take over the work of checking if the processes are running
and restarting them if necessary.

A script running out of cron doesn't sound that nice to me...

AB

* Sean Wheeler <S.Wheeler () netprotect ch> [010802 12:11]:
> Hello,
>
> I have knocked up a quickie perl script to check if snort & demarc are running, if either have failed it will kill 
> the remaining processes and restart the demarc client.
>
> This works nicely for those sensors who are placed in the wild with no remote access to the machine. A problem I have 
> experienced is that when the DB server is not available the demarc client stops, with no remote access it would be a 
> hassle to restart, so the script takes care of that. Furthermore the script does not just stop the processes, it 
> first checks if they are running, no point in stopping a happy little process.
>
> Having no listening services, and the ability the still remotely modify snort is turning out very nicely, I am 
> working on using IPSEC & freeSWAN for the client communication with the remote DB server.
>
>
> A couple additions to come are :
> mail notification if the process won't restart ( i.e. bad syntax in an updated snort rulebase )
> a little spring cleaning
> (your additions here)
>
> For those of you not using demarc the script could be easily modified to do what you need. The script can be placed 
> in /etc/cron.hourly/ or where you may want to call it from cron.
>
> Installation to run every hour :
> cut & paste into a file /etc/cron.hourly/checksnort
> chmod 550 /etc/cron.hourly/checksnort
>
>
> Below is the script, if you think it is ugly I don't want to know about it, it's dirty but it works....nicely
>
> #!/usr/bin/perl
> $whattodo =0;
> $snort_conf_file = "/etc/snort/vision.conf";
> $result = `/bin/ps -ax |/usr/bin/grep snort`;
> if ($result=~/snort.*\-c $snort_conf_file/){
> #print "Snort is running:\n";
> $whattodo=0;
> }
> else {
> #print "Bummer Snort is Dead\n";
> $whattodo=1;
> }
>
> $result = `/bin/ps -ax |/usr/bin/grep DEMARC`;
> if ($result=~/DEMARC_Client/){
> #print "DEMARC is running\n";
> }
> else {
> #print "Bummer DEMARC is Dead\n";
> $whattodo=1;
> }
>
> &whattodo;
>
> sub whattodo {
> if ($whattodo ne 0){
> #print "KILL DA LEFTOVERS !!!!!!\n";
> $snortdie =`/usr/bin/killall snort`;
> $demarcdie =`/usr/bin/killall demarc_c.pl`;
> system ("/usr/local/bin/demarc_c.pl &");
> #print "GO ON HOLIDAY\n";
>                 }
> }
--
Mit freundlichen Grüßen

Andreas Brenk
mailto:ab () aegisnet de

AegisNet IT-Dienstleistungen
Postfach 62 03 71
22403 Hamburg
http://www.aegisnet.de
Tel. und Fax: +49-(0)700-AEGISNET


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users