[Snort-users] Improved snortd init script

JP Vossen vossenjp at ...8683...
Fri May 23 18:04:03 EDT 2003


I was messing around with kill -USR1 {snort} and wondering why that was not in
the init script wrapper, so I added it. It works on my RedHat 8.0 box, but
I've done no other testing.

What do you think?  Snort.org/Sourcefire guys: hopefully this will make the
stats a little easier for those just moving to UNIX (esp. snortd stats opt).

Any suggestions for improvement (it's a bit ugly right now)?

Later,
JP

I hope the formatting survives my mailer...
----- Cut Here -----
#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
#		currently detects more than 1100 host and network
#		vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave at ...725...>
#   - initial version
#
# July 08, 2000 Dave Wreski <dave at ...53...>
#   - added snort user/group
#   - support for 1.6.2
# July 31, 2000 Wim Vandersmissen <wim at ...216...>
#   - added chroot support
# May 23, 2003 JP Vossen <jp at ...8684...>
#   - added stats (long|opt) option

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
	echo -n "Starting snort: "
        cd /var/log/snort
	daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
		 -i $INTERFACE -c /etc/snort/snort.conf
	touch /var/lock/subsys/snort
	echo
	;;
  stop)
	echo -n "Stopping snort: "
	killproc snort
	rm -f /var/lock/subsys/snort
	echo
	;;
  restart)
	$0 stop
	$0 start
	;;
  status)
	status snort
	;;
  stats | statistics)
	tc=100		# Trailing context to grep
	secs=3		# Seconds to wait for syslog
	syslog='/var/log/messages'
	# Grab Snort's PID
	pid=`pidof -o $$ -o $PPID -o %PPID -x snort`

	echo "Dumping Snort's ($pid) statistics to screen and $syslog"
	echo "please wait $secs seconds..."
	# Get the date and tell Snort to dump stats as close together in
	# time as possible--100%, but it seems to work.
	startdate=`date '+%b %e %H:%M:%S'` && kill -USR1 $pid
	# Sleep for $secs secs to give syslog a chance to catch up
	sleep $secs	# May need to be adjusted for slow/busy systems
	if [ "$2" = "long" ]; then		# Long format
		egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
			grep snort:
	elif [ "$2" = "opt" ]; then		# OPTimize format
		# Just show stuff useful for optimizing Snort
		egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
		  egrep "snort: Snort analyzed |snort: dropping|emory .aults:"
	else					# Default format
		egrep -A $tc "^$startdate .* snort:   ={79}" $syslog | \
			grep snort: | cut -d: -f4-
	fi
	;;
  *)
	echo "Usage: $0 {start|stop|restart|status|stats (long|opt)}"
	exit 1
esac

exit 0
----- Cut Here -----


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."





More information about the Snort-users mailing list