Re: Multiple Instances of Snort and Barnyard2 Startup script

[Jack <kingofnerds () gmail com>]

I am successfully using a single barnyard2 configuration by passing
the variable " -i snort$COUNTER" in the startup script, this seems to
be all that is needed to separate the different instances in the
database. I am using mysql and base for the database portion.

On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph () gmail com> wrote:
> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds () gmail com> wrote:
> > In case anyone is interested, I modified a start script I found on a
> > forum somewhere to start multiple instances of snort and barnyard2. My
> > setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
> > last four cores in my 16 core system listening to a single span port
> > from two Juniper switches. I also attached the configs for snort and
> > barnyard2.
>
> Make sure you have multiple by2 configuration with a different instance name
> so you do run into cocurency issue if you log to database.
>
> -elz
>
>
> > #! /bin/sh
> >  #
> > ### BEGIN INIT INFO
> >
> > #---------- begin section for chkconfig support -----
> > # chkconfig: - 93 83
> > # description: Snort and Barnyard2 Sniffer
> > # processname: snortbarn
> > # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
> > # pidfile: /var/run/snort/
> > #---------- end section for chkconfig support -----
> >
> > #---------- begin section for debian dynamic start scripts -----
> > # Provides: snortbarn
> >
> > # Required-Start: $remote_fs $syslog mysql
> >
> > # Required-Stop: $remote_fs $syslog
> > # Default-Start: 2 3 4 5
> > # Default-Stop: 0 1 6
> >
> > # X-Interactive: true
> >
> > # Short-Description: Start Snort and Barnyard
> > #--------- end section for debian dynamic start scripts -----
> > ### END INIT INFO
> >
> > #/lib/init/vars.sh
> > /lib/lsb/init-functions
> > . /etc/rc.d/init.d/functions # added to support the status function in CentOS
> >
> > do_start() {
> >         #log_daemon_msg "Starting Snort and Barnyard" ""
> >
> >         # Make sure mysql has finished starting
> >
> >         ps_alive=0
> >         while [ $ps_alive -lt 1 ];
> >         do
> >         pidfile=/var/run/mysqld/mysqld.pid
> >         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
> > then ps_alive=1; fi
> >         #echo "sleeping" >&2
> >         sleep 1
> >         done
> >        # numbers in COUNTER represent the core to which snort binds itself
> >         for COUNTER in 12 13 14 15; do
> >         /usr/local/bin/snort -D -u root -g snort -c
> > /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
> > /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
> >         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> > /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
> > /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
> > /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
> > -D
> >         #log_end_msg 0
> >         done
> >
> >         return 0
> > }
> >
> > do_stop() {
> >         #log_daemon_msg "Stopping Snort and Barnyard" ""
> >         kill $(pidof snort) 2> /dev/nul
> >         kill $(pidof barnyard2) 2> /dev/nul
> >         sleep 5
> >         #log_end_msg 0
> >         return 0
> > }
> >
> > #do_status() {
> > #       # some lines to display status of running snort processes
> > #
> > #}
> >
> > case "$1" in
> >   start)
> >         do_start
> >  ;;
> >   stop)
> >         do_stop
> >  ;;
> >   restart)
> >         do_stop
> >         sleep 10
> >         do_start
> >  ;;
> >   status)
> >     status snort
> >     status barnyard2
> >     RETVAL=$?
> >  ;;
> >  *)
> >       echo "Usage: snort-barn {start|stop|restart|status}" >&2
> >     exit 3
> >  ;;
> > esac
> > exit 0
> >
> >
> > --
> > _____________________________________
> >  ---- In the end Nerds will Rule the World ----
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!