Snort mailing list archives

RE: Snort Startup Script

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 19 Apr 2005 11:11:27 -0400

Actually, the ability to start/run multiple instances of Snort can be
helpful.

For example, instance 1 can be you standard Snort with all of the
default rules etc. logging to your standard log database.
But instance 2 can be a specially crafted instance of Snort, using a
different snort.conf looking for a special packet type and perhaps
logging in a different way.

And of course, for those of us with multiple NICs on our Snort server,
running multiple instances of Snort, 1 for each NIC, is a requirement.

Bruce

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul
Schmehl
Sent: Monday, April 18, 2005 7:04 PM
To: dogbert () netnevada net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Startup Script

--On Monday, April 18, 2005 03:21:08 PM -0700 dogbert () netnevada net
wrote:


# !/bin/bash
# $Id: S99snort,v 1.1 2001/12/18 22:14:37 cazz Exp $
# /etc/init.d/snort : start or stop the SNORT Intrusion Database System
#
# Written by Lukasz Szmit <ptashek () scg gliwice pl>
#
# Configuration

# set config file & path to snort executable
SNORT_PATH=/usr/local/bin
# CONFIG=/usr/local/share/snort/snort.conf
CONFIG=/usr/local/etc/snort.conf

# set interface
IFACE=eth1

# set GID/Group Name
SNORT_GID=nobody

# other options
OPTIONS="-D -b"

# End of configuration


test -x $SNORT_PATH/snort || exit 0

# is snort already running, if so, exit...

case "$1" in
     start)

# check to see if snort is already running, if so, exit...

        if [ -e /var/run/snort* ]; then
            echo Snort already running...exiting...
            exit 0
        fi
#
        echo "Starting Intrusion Database System: SNORT"
        $SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS
        if [ "`pidof $SNORT_PATH/snort`" ]; then
                echo "SNORT is up and running!"
        else
                exit 0
        fi
        echo -n "."
        ;;

I only posted up thru the start) section, but my question becomes, is
this the  correct way to determine if snort is already running, or do
other readers have  a better idea or way to do this?

This does nothing except verify that an executable file named snort
exists 
in /usr/local/bin.  If you want to test to see if snort is running, you 
have to look at running processes.

Something along these lines should work (but not tested, so YMMV):

PID=`ps auxw | grep $SNORT_PATH/snort | grep -v grep | awk '{print $2}'`
if [ $PID > 0 ]; then
  echo "Snort is already running"
  exit 1
fi

You *could* check for the existence of the pidfile, but that's not
*always* 
a guarantee that the process is actually running.  Safer to look at the 
processes themselves.  Also, if you have pgrep on your system, you can
use 
that instead:

PID=`pgrep snort`
etc.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime
info,
new features, or free trial, at:
http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Startup Script dogbert (Apr 18)
- Re: Snort Startup Script Paul Schmehl (Apr 18)
- <Possible follow-ups>
- RE: Snort Startup Script Briggs, Bruce (Apr 19)
  - RE: Snort Startup Script Paul Schmehl (Apr 19)