Snort mailing list archives
Re: Startup Script (init.d)
From: Robert Millott <robm () millottandassociates com>
Date: Fri, 31 Oct 2014 10:00:20 -0400
Here is a copy of my script. May not be the best thing possible, but it works for us. If anyone has suggestions on how to improve it, Ill definitely take them. #!/bin/sh #get the interface that doesn't have an ipv4 address assigned to it. Assume thats the sniffing interface export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" && $1!="--" && $1!="inet" {print $1}' | sed 's/:$// ') ifconfig $iface up if [ -f /etc/snort/pid1/snort*.pid ] then echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/snort_$iface.pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid1/barnyar2.pid ] then echo -d "Shutting down Barnyard " /etc/snort/pid1/barnyard2_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/barnyard2_$iface. pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid2/snort*.pid ] then echo -e "Shutting down second instance of snort" /etc/snort/pid2/snort_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/barnyard2_$iface. pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid1/barnyar2.pid ] then echo -d "Shutting down Barnyard " /etc/snort/pid2/barnyard2_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid2/barnyard2_$iface.pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi echo "ensuring all snort and barnyard processes are killed" killall snort killall barnyard2 rm -rf /etc/snort/pid1/barnyard* echo -e "Starting Snort\n" /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1 --daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F /etc/snort/bpf.filter -D if [ $? -gt 0 ] then tail /var/log/messages -n 200 | grep snort | grep ERROR echo "starting snort failed. See above for reason" sleep 15 fi echo -e "starting Barnyard\n" /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path /etc/snort/pid1 -D if [ $? -gt 0 ] then tail /var/log/messages -n 200 | grep barnyard| grep ERROR echo "starting barnyard failed. See above for reason" sleep 15 fi #if a second bpf filter exists, run a second instance of snort using second bpf filter if [ -f /etc/snort/bpf_*.filter ] then echo -e "Starting second instance of Snort\n" /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F /etc/snort/bpf_*.filter -D echo -e "starting second instance of Barnyard\n" /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2 -I --pid-path /etc/snort/pid2 -D fi On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 () gmail com> wrote:
Greetings, I'm evaluating Snort in a lab environment and need some assistance creating an init.d startup script. I have attempted to use the one provided by the Snort community but can't get it to work. I have a Dell R720xd running CentOS 6.5 minimal install. Running 8 daemon mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface with 2-tuple Hash Load Balancing config. So far the testing has gone very well. Just need to setup an init.d to restart everything in case of power failure. Any guidance is appreciated. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Startup Script (init.d) test engineer (Oct 31)
- Re: Startup Script (init.d) Robert Millott (Oct 31)
- Re: Startup Script (init.d) test engineer (Nov 05)
- Re: Startup Script (init.d) test engineer (Nov 13)
- Re: Startup Script (init.d) Bill Bernsen (Nov 13)
- Re: Startup Script (init.d) test engineer (Nov 14)
- Re: Startup Script (init.d) test engineer (Nov 05)
- Re: Startup Script (init.d) Robert Millott (Oct 31)