Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort & Barnyard init.d script for Debian

From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Fri, 19 Mar 2010 15:43:52 -0400
Good afternoon everyone,



So my previous post just goes to show why exactly I should not post to mailing lists in the morning...

Under the single interface startup section, I noticed I placed a double dollar on the -w $LOGDIR/$WALDO section as seen 
below:

/usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.conf -G $GEN_MSG -S $SID_MSG -d $LOGDIR -f $ALERTFILE -w 
$$LOGDIR/$WALDO -u $USER -g $GROUP



So that line should read:

/usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.conf -G $GEN_MSG -S $SID_MSG -d $LOGDIR -f $ALERTFILE -w 
$LOGDIR/$WALDO -u $USER -g $GROUP



Sorry for not noticing it earlier, I have been running on my boxes with multiple interfaces, and when I threw it on 
another box watching just one interface I was getting something like this:

ps aux |grep snort

snort    19695  0.0  0.1   7532  3884 ?        Ss   15:47   0:00 /usr/local/bin/barnyard2 -D -c 
/etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.u2 -w 
19686LOGDIR/barnyard2.waldo -u snort -g snort



Well that's all for now.

-Parker



  _____

From: Crook, Parker [mailto:Parker_Crook () reyrey com]
Sent: Friday, March 19, 2010 9:46 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort & Barnyard init.d script for Debian



Howdy fellow Snortheads,



I apologize for the long post this morning, and I really hope I am not reinventing the wheel with this, but hopefully I 
am helping somebody out there.  I retasked the /etc/init.d/snortd script for Fedora over to Debian and included some 
changes to control barnyard as well (this also includes a new section that I dropped into the /etc/sysconfig/snort 
file, so I will start here with just the additional lines to the sysconfig file:



#################################################################################

#Options below are for helping snortd start Barnyard2

###Note: If using multiple interfaces use barnyard2.ethX.conf for file names.

#Directory containing the barnyard.conf file (no trailing slash).

BARN_CONF=/etc/snort

#Location of gen-msg.map

GEN_MSG=/etc/snort/gen-msg.map

#Location of sid-msg.map

SID_MSG=/etc/snort/sid-msg.map

#logfile prefix; ie snort.u2

ALERTFILE=snort.u2

#name of Waldo file

WALDO=barnyard2.waldo





And below is the reworked Debian version of the snortd script with additions to control barnyard as well:



#!/bin/sh

# $Id$

#

# snortd         Start/Stop the snort IDS daemon.

#

# chkconfig: 2345 40 60

# description:  snort is a lightweight network intrusion detection tool that \

#                currently detects more than 1100 host and network \

#                vulnerabilities, portscans, backdoors, and more.

#



# Source function library. - COMMENTED OUT, NOT USED IN DEBIAN

#. /etc/rc.d/init.d/functions



# Source the local configuration file

. /etc/sysconfig/snort



# Convert the /etc/sysconfig/snort settings to something snort can

# use on the startup line.



##ADD the following vars:



if [ "$ALERTMODE"X = "X" ]; then

   ALERTMODE=""

else

   ALERTMODE="-A $ALERTMODE"

fi



if [ "$USER"X = "X" ]; then

   USER="snort"

fi



if [ "$GROUP"X = "X" ]; then

   GROUP="snort"

fi



if [ "$BINARY_LOG"X = "1X" ]; then

   BINARY_LOG="-b"

else

   BINARY_LOG=""

fi



if [ "$CONF"X = "X" ]; then

   CONF="-c /etc/snort/snort.conf"

else

   CONF="-c $CONF"

fi



if [ "$INTERFACE"X = "X" ]; then

   INTERFACE="-i eth0"

else

   INTERFACE="-i $INTERFACE"

fi



if [ "$DUMP_APP"X = "1X" ]; then

   DUMP_APP="-d"

else

   DUMP_APP=""

fi



if [ "$NO_PACKET_LOG"X = "1X" ]; then

   NO_PACKET_LOG="-N"

else

   NO_PACKET_LOG=""

fi



if [ "$PRINT_INTERFACE"X = "1X" ]; then

   PRINT_INTERFACE="-I"

else

   PRINT_INTERFACE=""

fi



if [ "$PASS_FIRST"X = "1X" ]; then

   PASS_FIRST="-o"

else

   PASS_FIRST=""

fi



if [ "$LOGDIR"X = "X" ]; then

   LOGDIR=/var/log/snort

fi



# These are used by the 'stats' option

if [ "$SYSLOG"X = "X" ]; then

   SYSLOG=/var/log/messages

fi



if [ "$SECS"X = "X" ]; then

   SECS=5

fi



if [ ! "$BPFFILE"X = "X" ]; then

   BPFFILE="-F $BPFFILE"

fi

######For Barnyard:

#The directory where your barnyard conf(s) live.  See the program calls below for expected name formatting.

if [ "BARN_CONF"X = "X" ]; then

            BARN_CONF=/etc/snort

fi

#location & name of gen-msg map

if [ "$GEN_MSG"X = "X" ]; then

            GEN_MSG=/etc/snort/gen-msg.map

fi

#location & name of sid-msg map

if [ "$SID_MSG"X = "X" ]; then

            SID_MSG=/etc/snort/sid-msg.map

fi

#name of alert files

if [ "$ALERTFILE"X = "X" ]; then

            ALERTFILE=snort.u2

fi

#name of waldo file

if [ "$WALDO"X = "X" ]; then

            WALDO=barnyard2.waldo

fi





######################################

# Now to the real heart of the matter:



# See how we were called.

case "$1" in

  start)

        echo -n "Starting snort: "

        cd $LOGDIR

        if [ "$INTERFACE" = "-i ALL" ]; then

           for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`

           do

                mkdir -p "$LOGDIR/$i"

                chown -R $USER:$GROUP $LOGDIR

                /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g 
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF

                                                /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G $GEN_MSG 
-S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP

           done

        else

           # check if more than one interface is given

           if [ `echo $INTERFACE|wc -w` -gt 2 ]; then

              for i in `echo $INTERFACE | sed s/"-i "//`

                do

                  mkdir -p "$LOGDIR/$i"

                  chown -R $USER:$GROUP $LOGDIR

                  /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g 
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF

                                                  /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G 
$GEN_MSG -S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP

             done

           else

              # Run with a single interface (default)

              /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER 
-g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF

                                      /usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.conf -G $GEN_MSG -S $SID_MSG 
-d $LOGDIR -f $ALERTFILE -w $$LOGDIR/$WALDO -u $USER -g $GROUP

           fi

        fi

        touch /var/lock/subsys/snort

        echo

        ;;

  stop)

        echo -n "Stopping snort: "

        kill `pidof snort`

                        kill `pidof barnyard2`

        rm -f /var/lock/snort

        echo

        ;;

  reload)

        echo "Reloading Snort: "

                        kill -s HUP `pidof snort`

                        ;;

  restart)

        $0 stop

        $0 start

        ;;

  condrestart)

        [ -e /var/lock/snort ] && $0 restart

        ;;

  stats)

        TC=125                          # Trailing context to grep

        SNORTNAME='snort'               # Process name to look for



        if [ ! -x "/bin/pidof" ]; then

           echo "/bin/pidof not present, sorry, I cannot go on like this!"

           exit 1

        fi



        #Grab Snort's PID

        PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`



        if [ ! -n "$PID" ]; then        # if we got no PID then:

           echo "No PID found: ${SNORTNAME} must not running."

           exit 2

        fi



        echo ""

        echo "*******"

        echo "WARNING:  This feature is EXPERIMENTAL - please report errors!"

        echo "*******"

        echo ""

        echo "You can also run: $0 stats [long | opt]"

        echo ""

        echo "Dumping ${SNORTNAME}'s ($PID) statistics"

        echo "please wait..."



        # Get the date and tell Snort to dump stats as close together in

        # time as possible--not 100%, but it seems to work.

        startdate=`date '+%b %e %H:%M:%S'`



        # This causes the stats to be dumped to syslog

        kill -USR1 $PID



        # Sleep for $SECS secs to give syslog a chance to catch up

        # May need to be adjusted for slow/busy systems

        sleep $SECS



        if [ "$2" = "long" ]; then              # Long format

            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \

                grep snort.*:

        elif [ "$2" = "opt" ]; then             # OPTimize format

           # Just show stuff useful for optimizing Snort

            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \

                egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"

        else                                    # Default format

            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \

                grep snort.*: | cut -d: -f4-

        fi

        ;;

  *)

        echo "Usage: $0 {start|stop|reload|restart|condrestart|stats (long|opt)}"

        exit 2

esac



exit 0






------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: