Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Updated: Improved snortd init script

From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 24 May 2003 01:03:07 -0400 (EDT)
Added a check in case you try to execute snortd stats when Snort is not
running.  Otherwise the error is not very useful, especialy for a newbie. Duh.


I was messing around with kill -USR1 {snort} and wondering why that was
not in the init script wrapper, so I added it. It works on my RedHat 8.0
box, but I've done no other testing.

What do you think?  Snort.org/Sourcefire guys: hopefully this will make
the stats a little easier for those just moving to UNIX (esp. snortd stats
opt).

Any suggestions for improvement (it's a bit ugly right now)?


Later,
JP


I hope the formatting survives my mailer...


----- Cut Here -----

#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
#               currently detects more than 1100 host and network
#               vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave () linuxsecurity com>
#   - initial version
#
# July 08, 2000 Dave Wreski <dave () guardiandigital com>
#   - added snort user/group
#   - support for 1.6.2
# July 31, 2000 Wim Vandersmissen <wim () bofh st>
#   - added chroot support
# May 23, 2003 JP Vossen <jp () jpsdomain org>
#   - added stats (long|opt) option
# May 24, 2003 JP Vossen <jp () jpsdomain org>
#   - added PID checking in case stats run when Snort is not running

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd /var/log/snort
        daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
                 -i $INTERFACE -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        ;;
  stats | statistics)
        tc=100          # Trailing context to grep
        secs=3          # Seconds to wait for syslog
        syslog='/var/log/messages'
        # Grab Snort's PID
        pid=`pidof -o $$ -o $PPID -o %PPID -x snort`
        if [ ! -n "$pid" ]; then        # if we got no PID then:
                echo "Snort is not running."
                exit 2
        fi

        echo "Dumping Snort's ($pid) statistics to screen and $syslog"
        echo "please wait $secs seconds..."
        # Get the date and tell Snort to dump stats as close together in
        # time as possible--100%, but it seems to work.
        startdate=`date '+%b %e %H:%M:%S'` && kill -USR1 $pid
        # Sleep for $secs secs to give syslog a chance to catch up
        sleep $secs     # May need to be adjusted for slow/busy systems
        if [ "$2" = "long" ]; then              # Long format
                egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
                        grep snort:
        elif [ "$2" = "opt" ]; then             # OPTimize format
                # Just show stuff useful for optimizing Snort
                egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
                  egrep "snort: Snort analyzed |snort: dropping|emory .aults:"
        else                                    # Default format
                egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
                        grep snort: | cut -d: -f4-
        fi
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status|stats (long|opt)}"
        exit 1
esac

exit 0

----- Cut Here -----


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: