[Snort-users] stopping snort

Erick Mechler emechler at ...7719...
Fri Dec 13 11:38:03 EST 2002


:: Has anyone found a way to stop snort, automatically, what i want to do is
:: have snort stop, if it gets more than 'x' alerts in a single hour, or some
:: time frame, then of course email me that it has stopped.

Sounds like you can do this with a very small shell script, or perl if you 
prefer.

if [ `kill -0 $SNORT_PID` ]; then
  if [ `du -k $LOG_FILE | cut -f1` > $MAX_SIZE ]; then
    stop snort
    email me
  fi
fi

Suitable for a cron job to run, maybe, once per 1/2 hour or so.

Cheers - Erick




More information about the Snort-users mailing list