Re: Ubuntu 8 /etc/rc.local issue

[Ams <ams.sec () gmail com>]

Awesome. Works like a charm. Thanks for all you help guys.

On Fri, Aug 7, 2009 at 4:20 PM, Tommie Giles <tgiles () gmail com> wrote:

> Yep, you can run multiple instances of Snort, as long as  there's one
> per interface.
>
> For me, I took the lazy route and have this in my /etc/init.d/snort:
>
> for i in `/sbin/ifconfig | grep eth | /usr/bin/awk ' { print $1 } '`
> do
> /usr/local/bin/snort -i $i -c /etc/snort/snort.conf -D -F
> /etc/snort/excludes.conf &
> echo "starting snort for $i with PID $!"
> done
>
> This will grab a list of all running interfaces (but not bonded ones,
> which are normally named bond0, bond1, etc over here), and run Snort
> against them.
>
> One stop shopping.
>
> tom
>
> On Fri, Aug 7, 2009 at 4:01 PM, Ams<ams.sec () gmail com> wrote:
> >  I should be able to run 2 instances of Snort (one for each interface)
> and
> > Barnyard in Daemon mode? Is that correct? Thanks for your time.
> >
> > On Fri, Aug 7, 2009 at 3:31 PM, Michael Boman <michael.boman () gmail com>
> > wrote:
> > > Run snort in daemon mode, your system is still waiting for the snort
> > > process to complete.
> > >
> > > Best regards
> > > Michael Boman
> > >
> > > On Fri, Aug 7, 2009 at 22:10, Ams <ams.sec () gmail com> wrote:
> > > > Hi Guys,
> > > >
> > > > I am trying to run snort at boot time automatically. Using Ubuntu 8-
> > > > Snort, barnyard compiled from source, 3 interfaces in total- 2
> interfaces
> > > > for NIDS and 1 for management. I edited the /etc/rc.local file and
> added the
> > > > following lines:
> > > >
> > > > Contents of /etc/rc.local
> > > > ------------------------------------------------------------------
> > > > ifconfig eth0 up promisc
> > > > /usr/local/bin/snort -c /etc/snort.conf -i eth0
> > > > sudo /usr/local/bin/barnyard2 -c /etc/snort/barn2.conf -G
> > > > /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
> > > > snort.log -w /var/log/snort/barnyard.waldo
> > > >
> > > > ifconfig eth1 up promisc
> > > > /usr/local/bin/snort -c /etc/snort.conf -i eth1
> > > > sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G
> > > > /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
> > > > snort.log -w /var/log/snort/barnyard.waldo
> ------------------------------------------------------------------------
> > > > When I do ps -aux|grep snort on startup, all I see running is
> > > > /usr/local/bin/snort -c /etc/snort.conf -i eth0. Why didn't the
> remaining
> > > > commands execute? Will appreciate your input. Thanks a bunch.
> > > >
> > > > Ams
> ------------------------------------------------------------------------------
> > > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > > > 30-Day
> > > > trial. Simplify your report design, integration and deployment - and
> > > > focus on
> > > > what you do best, core application coding. Discover what's new with
> > > > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > http://michaelboman.org - Security Blog & Wiki
> >
> >
> >
> > --
> > Amit Bakhshi
> > Associate of (ISC)2 in CISSP, GPEN, GCIH, GWAS, GSEC, GISF, SSP-GHD, MCP,
> > SCJA
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Tommie Giles
>
> "If all else fails, immortality can always be assured by spectacular
> error."



-- 
Ams

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users