Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Startup Script (init.d)

From: Robert Millott <robm () millottandassociates com>
Date: Fri, 31 Oct 2014 10:00:20 -0400
Here is a copy of my script. May not be the best thing possible, but it
works for us.  If anyone has suggestions on how to improve it, Ill
definitely take them.

#!/bin/sh
#get the interface that doesn't have an ipv4 address assigned to it. Assume
thats the sniffing interface
export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" && $1!="--"
&& $1!="inet" {print $1}' | sed 's/:$//

           ')
ifconfig $iface up
if [ -f /etc/snort/pid1/snort*.pid ]
     then
        echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid "\n"
        /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
--pidfile /etc/snort/pid1/snort_$iface.pid
        if [ $? -gt 0 ]
        then
                echo "start-stop-daemon failed. See above for reason"
                sleep 15
        fi
fi

if [ -f /etc/snort/pid1/barnyar2.pid ]
then
        echo -d "Shutting down Barnyard "
/etc/snort/pid1/barnyard2_$iface.pid "\n"
        /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
--pidfile /etc/snort/pid1/barnyard2_$iface.

               pid
        if [ $? -gt 0 ]
                then
                echo "start-stop-daemon failed. See above for reason"
                sleep 15
        fi
fi

if [ -f /etc/snort/pid2/snort*.pid ]
then
        echo -e "Shutting down second instance of snort"
/etc/snort/pid2/snort_$iface.pid "\n"
        /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
--pidfile /etc/snort/pid1/barnyard2_$iface.

               pid
        if [ $? -gt 0 ]
        then
                echo "start-stop-daemon failed. See above for reason"
                sleep 15
        fi
fi
if [ -f /etc/snort/pid1/barnyar2.pid ]
then
        echo -d "Shutting down Barnyard "
/etc/snort/pid2/barnyard2_$iface.pid "\n"
        /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
--pidfile /etc/snort/pid2/barnyard2_$iface.pid
        if [ $? -gt 0 ]
        then
                echo "start-stop-daemon failed. See above for reason"
                sleep 15
        fi
fi
echo "ensuring all snort and barnyard processes are killed"
killall snort
killall barnyard2
rm -rf /etc/snort/pid1/barnyard*
echo -e "Starting Snort\n"
/usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1 --daq
pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F
/etc/snort/bpf.filter -D
if [ $? -gt 0 ]
then
        tail /var/log/messages -n 200 | grep snort | grep ERROR
        echo "starting snort failed.  See above for reason"
        sleep 15
fi
echo -e "starting Barnyard\n"
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path
/etc/snort/pid1 -D
if [ $? -gt 0 ]
then
        tail /var/log/messages -n 200 | grep barnyard| grep ERROR
        echo "starting barnyard failed.  See above for reason"
        sleep 15
fi
#if a second bpf filter exists, run a second instance of snort using second
bpf filter
if [ -f /etc/snort/bpf_*.filter ]
then
        echo -e "Starting second instance of Snort\n"
        /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path
/etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i
$iface -F /etc/snort/bpf_*.filter -D
        echo -e "starting second instance of Barnyard\n"
        /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2
-I --pid-path /etc/snort/pid2 -D
fi


On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 () gmail com> wrote:


Greetings, I'm evaluating Snort in a lab environment and need some
assistance creating an init.d startup script. I have attempted to use the
one provided by the Snort community but can't get it to work.

I have a Dell R720xd running CentOS 6.5 minimal install. Running 8 daemon
mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface with
2-tuple Hash Load Balancing config. So far the testing has gone very well.
Just need to setup an init.d to restart everything in case of power
failure. Any guidance is appreciated.


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: