Snort mailing list archives
RE: Snort Startup Script
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 19 Apr 2005 11:11:27 -0400
Actually, the ability to start/run multiple instances of Snort can be helpful. For example, instance 1 can be you standard Snort with all of the default rules etc. logging to your standard log database. But instance 2 can be a specially crafted instance of Snort, using a different snort.conf looking for a special packet type and perhaps logging in a different way. And of course, for those of us with multiple NICs on our Snort server, running multiple instances of Snort, 1 for each NIC, is a requirement. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul Schmehl Sent: Monday, April 18, 2005 7:04 PM To: dogbert () netnevada net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Startup Script --On Monday, April 18, 2005 03:21:08 PM -0700 dogbert () netnevada net wrote:
# !/bin/bash # $Id: S99snort,v 1.1 2001/12/18 22:14:37 cazz Exp $ # /etc/init.d/snort : start or stop the SNORT Intrusion Database System # # Written by Lukasz Szmit <ptashek () scg gliwice pl> # # Configuration # set config file & path to snort executable SNORT_PATH=/usr/local/bin # CONFIG=/usr/local/share/snort/snort.conf CONFIG=/usr/local/etc/snort.conf # set interface IFACE=eth1 # set GID/Group Name SNORT_GID=nobody # other options OPTIONS="-D -b" # End of configuration test -x $SNORT_PATH/snort || exit 0 # is snort already running, if so, exit... case "$1" in start) # check to see if snort is already running, if so, exit... if [ -e /var/run/snort* ]; then echo Snort already running...exiting... exit 0 fi # echo "Starting Intrusion Database System: SNORT" $SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS if [ "`pidof $SNORT_PATH/snort`" ]; then echo "SNORT is up and running!" else exit 0 fi echo -n "." ;; I only posted up thru the start) section, but my question becomes, is this the correct way to determine if snort is already running, or do other readers have a better idea or way to do this?
This does nothing except verify that an executable file named snort exists in /usr/local/bin. If you want to test to see if snort is running, you have to look at running processes. Something along these lines should work (but not tested, so YMMV): PID=`ps auxw | grep $SNORT_PATH/snort | grep -v grep | awk '{print $2}'` if [ $PID > 0 ]; then echo "Snort is already running" exit 1 fi You *could* check for the existence of the pidfile, but that's not *always* a guarantee that the process is actually running. Safer to look at the processes themselves. Also, if you have pgrep on your system, you can use that instead: PID=`pgrep snort` etc. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Startup Script dogbert (Apr 18)
- Re: Snort Startup Script Paul Schmehl (Apr 18)
- <Possible follow-ups>
- RE: Snort Startup Script Briggs, Bruce (Apr 19)
- RE: Snort Startup Script Paul Schmehl (Apr 19)