[Snort-users] network shutdown on certain alerts

Jason K. Boykin jboykin at ...9552...
Mon Jul 21 13:23:22 EDT 2003

Hi all,
Ive been asked to have some machines go down when certain alerts are 
triggered.  2 ways Ive looked at this is writing a shell script to do this or 
modifying an existing snort log monitor such as razorback.

I dont have much coding experience but Im learning but I do have some 
scripting experience although very little with start and stop scripts such as 

Currently Ive got snort logging to /var/log/snort/alert and to postgresql.  
Ive got ACID up and viewing the database and still use razorback to get 
realtime updates when Im at work testing stuff.  Ive also been using swatch 
to monitor /var/log/snort/alert to send e-mails out on priority 1 and 2 

I was working on this shell script to get the above accomplished but I think I 
might be going about it the wrong direction.  I was planning on using swatch 
to execute the script when a matched alert is made.


. /etc/rc.d/init.d/functions

case "$1" in
        wall "Priority 1 Alert Detected"
        wall "Network shutting down in 30 seconds"
        wall "Run abort script to stop shutdown"
        sleep 30
        /etc/init.d/network stop
        touch /var/lock/subsys/netdown

        wall "NetDown aborted "
        killproc netdown
        rm -f /var/lock/subsys/netdown

        status netdown

        echo "Usage: $0 {start|stop|status}"
        exit 1

exit 0

The servers are on RedHat 7.3 btw.  I was asked to have a box or window pop up 
and alert anyone around about this so I figured I would use 'wall'.
/etc/init.d/network can be used to bring the network interface up and down.  
Donno if its in other distro's.

Now the problem is comming when I want to abort the lockdown.  I was going to 
put a shortcut on the desktop to stop the script sometime during the sleep if 
its caught in time.

If I can get this working I could add sound or something too if my boss 

Can anyone help me with this or know of something already out there that can 
do the same thing or similar?  (Cant get SAM working)

Jason Boykin

More information about the Snort-users mailing list