Snort mailing list archives
Re: a little perl and a touch of cron
From: Andreas Brenk <ab () aegisnet de>
Date: Thu, 2 Aug 2001 15:26:23 +0200
Hi. Has anybody already done similar work in order to use Snort and Demarc under Dan Bernstein's Daemontools? This would take over the work of checking if the processes are running and restarting them if necessary. A script running out of cron doesn't sound that nice to me... AB * Sean Wheeler <S.Wheeler () netprotect ch> [010802 12:11]:
Hello, I have knocked up a quickie perl script to check if snort & demarc are running, if either have failed it will kill the remaining processes and restart the demarc client. This works nicely for those sensors who are placed in the wild with no remote access to the machine. A problem I have experienced is that when the DB server is not available the demarc client stops, with no remote access it would be a hassle to restart, so the script takes care of that. Furthermore the script does not just stop the processes, it first checks if they are running, no point in stopping a happy little process. Having no listening services, and the ability the still remotely modify snort is turning out very nicely, I am working on using IPSEC & freeSWAN for the client communication with the remote DB server. A couple additions to come are : mail notification if the process won't restart ( i.e. bad syntax in an updated snort rulebase ) a little spring cleaning (your additions here) For those of you not using demarc the script could be easily modified to do what you need. The script can be placed in /etc/cron.hourly/ or where you may want to call it from cron. Installation to run every hour : cut & paste into a file /etc/cron.hourly/checksnort chmod 550 /etc/cron.hourly/checksnort Below is the script, if you think it is ugly I don't want to know about it, it's dirty but it works....nicely #!/usr/bin/perl $whattodo =0; $snort_conf_file = "/etc/snort/vision.conf"; $result = `/bin/ps -ax |/usr/bin/grep snort`; if ($result=~/snort.*\-c $snort_conf_file/){ #print "Snort is running:\n"; $whattodo=0; } else { #print "Bummer Snort is Dead\n"; $whattodo=1; } $result = `/bin/ps -ax |/usr/bin/grep DEMARC`; if ($result=~/DEMARC_Client/){ #print "DEMARC is running\n"; } else { #print "Bummer DEMARC is Dead\n"; $whattodo=1; } &whattodo; sub whattodo { if ($whattodo ne 0){ #print "KILL DA LEFTOVERS !!!!!!\n"; $snortdie =`/usr/bin/killall snort`; $demarcdie =`/usr/bin/killall demarc_c.pl`; system ("/usr/local/bin/demarc_c.pl &"); #print "GO ON HOLIDAY\n"; } }
-- Mit freundlichen Grüßen Andreas Brenk mailto:ab () aegisnet de AegisNet IT-Dienstleistungen Postfach 62 03 71 22403 Hamburg http://www.aegisnet.de Tel. und Fax: +49-(0)700-AEGISNET _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- a little perl and a touch of cron Sean Wheeler (Aug 02)
- Re: a little perl and a touch of cron Andreas Brenk (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 03)
- Re: a little perl and a touch of cron Jörgen Persson (Aug 02)
- Re: a little perl and a touch of cron Andreas Brenk (Aug 02)