[Snort-users] Redhat6.2 initialization script

Sten (s10) at Home sten at ...6...
Sun Mar 4 05:27:25 EST 2001


John,

this is my setup. I run snort in a chroot environment.
It is more secure but it requires some extra work to configure.
This is a Mini HowTo ;-)

Create group and user "snort" (Linuxconf can help you here)
create (as root) the following directories:
/chroot
/chroot/snort
/chroot/snort/log

chown snort.snort /chroot/snort/log

create the following files:
>>>>>>>>>>>>>>> /etc/rc.d/init.d/snortd
#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool
that
#               currently detects more than 1100 host and network
#               vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave at ...725...>
#   - initial version
#
# July 08, 2000 Dave Wreski <dave at ...53...>
#   - added snort user/group
#   - support for 1.6.2

# Jan 01, 2001 Sten Kalenda <sten at ...6...>
#   - added chroot environment 
#   - runs with 1.7
#
# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE="eth0"

# See how we were called.

case "$1" in
  start)
        daemon  /usr/sbin/snort -c /etc/snort/snort.conf \
           -t /chroot/snort -u snort -g snort -A full \
            -o -v -d -D -i $INTERFACE -l /log
        touch /var/lock/subsys/snort
        /sbin/ifconfig $INTERFACE promisc
        # must do this in order to user snortmon
        chgrp snort /chroot/snort/log/alert
        chmod g+r   /chroot/snort/log/alert
        echo
        ;;
  stop)
 
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0
<<<<<<<<<<<<<<<
create the symbolic link in /etc/rc.d/rc3.d to the file above:
cd /etc/rc.d/rc3.d ln -s ../init.d/snortd S40snortd


you need also the logrotate script:
>>>>>>>>>>>>>>>>>>>>>>>>>
# Logrotate file for snort
# Jan 2001 Sten Kalenda Apeldoorn The Netherlands

daily
rotate 7

/chroot/snort/log/alert {
}

/chroot/snort/log/log {
}

/chroot/snort/log/portscan.log {
        daily
        postrotate
        rm -rf /chroot/snort/log/[1234567890]*
        /etc/rc.d/init.d/snortd restart
        endscript
}
<<<<<<<<<<<<<<<<<<<<<<<<<

This should do the job, enjoy!

grtz from the Netherlands,
Sten Kalenda

John Kiehnle wrote:
> 
> can anyone point to an init script for snort running on a redhat 6.2 box?
> 
> Thanks in advance,
> 
> John Kiehnle
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 

It is impossible to make anything foolproof because fools are so
ingenious




More information about the Snort-users mailing list