[Snort-users] Newbie Question

Pacheco, Michael F. MPacheco at ...6219...
Fri Apr 25 12:08:44 EDT 2003


If you did a source install, look in the snortsource/contrib folder for
S99snort -  do a 

cp S99snort /etc/init.d/snort
cd /etc/init.d   (Now edit the file to your config - interface name - snort
* group name (nobody on my box))
* make sure its executable (chmod 755 snort)
cd /etc/rc3.d
ln -s ../init.d/snort S99snort
cd /etc/rc5.d
ln -s ../init.d/snort S99snort

Now snort will start on boot, and you can gracefully kill it with PID
tracking by issuing

/etc/init.d/snort stop  (or start or restart - if you just updated your
rules)

Your mileage may vary - runs great on RedHat 7.3, 8.- and 9.0 - If you did
an rpm install your out of luck, I'd guess it would auto install this script
but I'm not sure because I don't do rpm's of software I change a lot.

Enjoy,

Mike Pacheco


-----Original Message-----
From: Wilcoxen, Scott [mailto:SWilcoxen at ...9020...] 
Sent: Friday, April 25, 2003 2:38 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Newbie Question

I'm relatively new to both Snort and Linux, so please bear with me here.  I
have got snort setup on two separate machines.  One machine is listening to
traffic on the outside of my firewall and the other on the inside.  On a
third machine I've got a MySQL database to which I'm logging alerts.  I've
setup an apache web server on this machine as well and am using ACID to view
the alerts being logged.  My sensors are logging all packets in binary tcp
dump format on the local hard drive.  I would like to setup a cron job to
move these logs to another machine everyday so that the hard drives on my
sensors don't fill up.  I'm starting snort in daemon mode and noticed that
when I move the logs it doesn't seem to start another one.  So my theory was
that if I stop snort, move the logs, and restart snort I would be ok. 
Problem is I can't find a way to stop snort short of issuing a 'kill pid'. 
I want to script all of this.  Any suggestions?  



Scott S Wilcoxen
Macfadden & Associates, Inc.
Office: 301.562.3046
Mobile: 410.688.2813
Fax: 301.588.0390
Email: SWilcoxen at ...9020...
www.macf.com





More information about the Snort-users mailing list