Snort mailing list archives
a little perl and a touch of cron
From: "Sean Wheeler" <S.Wheeler () netprotect ch>
Date: Thu, 2 Aug 2001 12:11:20 +0200
Hello,
I have knocked up a quickie perl script to check if snort & demarc are running, if either have failed it will kill the
remaining processes and restart the demarc client.
This works nicely for those sensors who are placed in the wild with no remote access to the machine. A problem I have
experienced is that when the DB server is not available the demarc client stops, with no remote access it would be a
hassle to restart, so the script takes care of that. Furthermore the script does not just stop the processes, it first
checks if they are running, no point in stopping a happy little process.
Having no listening services, and the ability the still remotely modify snort is turning out very nicely, I am working
on using IPSEC & freeSWAN for the client communication with the remote DB server.
A couple additions to come are :
mail notification if the process won't restart ( i.e. bad syntax in an updated snort rulebase )
a little spring cleaning
(your additions here)
For those of you not using demarc the script could be easily modified to do what you need. The script can be placed in
/etc/cron.hourly/ or where you may want to call it from cron.
Installation to run every hour :
cut & paste into a file /etc/cron.hourly/checksnort
chmod 550 /etc/cron.hourly/checksnort
Below is the script, if you think it is ugly I don't want to know about it, it's dirty but it works....nicely
#!/usr/bin/perl
$whattodo =0;
$snort_conf_file = "/etc/snort/vision.conf";
$result = `/bin/ps -ax |/usr/bin/grep snort`;
if ($result=~/snort.*\-c $snort_conf_file/){
#print "Snort is running:\n";
$whattodo=0;
}
else {
#print "Bummer Snort is Dead\n";
$whattodo=1;
}
$result = `/bin/ps -ax |/usr/bin/grep DEMARC`;
if ($result=~/DEMARC_Client/){
#print "DEMARC is running\n";
}
else {
#print "Bummer DEMARC is Dead\n";
$whattodo=1;
}
&whattodo;
sub whattodo {
if ($whattodo ne 0){
#print "KILL DA LEFTOVERS !!!!!!\n";
$snortdie =`/usr/bin/killall snort`;
$demarcdie =`/usr/bin/killall demarc_c.pl`;
system ("/usr/local/bin/demarc_c.pl &");
#print "GO ON HOLIDAY\n";
}
}
Current thread:
- a little perl and a touch of cron Sean Wheeler (Aug 02)
- Re: a little perl and a touch of cron Andreas Brenk (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 03)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Andreas Brenk (Aug 02)