[Snort-users] snort/Barnyard startup script

Edin Dizdarevic edin.dizdarevic at ...7509...
Wed Jul 7 05:03:06 EDT 2004


Hi,

this is the way I have it added in my script, maybe u can use it 
(remember to adopt it for your system):

...
################################################################################
# General constants 

#
# Snort binary
SNORT="/usr/local/bin/snort"
BY="/usr/local/bin/barnyard"
PIDOF="/sbin/pidof"
ECHO="/bin/echo"
RM="/bin/rm"
KILL="/bin/kill"
SLEEP="/bin/sleep"
# 
        #
################################################################################


################################################################################
# Barnyard constants 
        #
# Barnyard configuration file
BY_CFG="/etc/snort/barnyard.conf"

# Spoolfile, the file where Snort is logging the alerts. Must be same as in
# Snort configuration file. The appended time is detected automatically 
by BY.
BY_SPOOL="/var/log/snort/unified.log"

# Path to the sid-msg.map file. The file where the reference to the specific
# vulnerabilities is stored so we can find further information on alerts.
SID="/etc/snort/sid-msg.map"


# Path to the "waldo" file. That is, where Barnyard will save the actual 
state.
# If BY has been restarted, it will not try to log the alerts already being
# logged.
BY_WALDO="/var/log/snort/waldo.barnyard"

# 
        #
################################################################################

...

# Starting Barnyard...
$ECHO "Starting Barnyard logging facility..."

# Find out if Snort is already running
BY_PID=$($PIDOF "$BY")

if [ -z "$BY_PID" ]
then
         "$ECHO" "No Barnyard instances available!"
         "$ECHO" "Continuing and removing old pidfiles if there..."
         # delete old pidfiles if there
         "$RM" -f /var/run/by.pid > /dev/null 2>&1
else
         # BY instance(s) found
         "$ECHO" "Barnyard already running!"
         "$ECHO" "Please call "stop" or "restart" first!"
         # Error
         exit 1
fi

# No BY instances running and no old pidfiles there

"$ECHO" "Starting Barnyard now..."
"$BY" -c "$BY_CFG" -f "$BY_SPOOL" -s "$SID" -w "$BY_WALDO"
# wait a second or two...
"$SLEEP" 2

BY_PIDFILE=$(cat /var/run/by.pid)
BY_PID=$($PIDOF $BY)

if [ ! -z "$BY_PIDFILE" -a ! -z "$BY_PID" ]
then
         $ECHO "Barnyard running now with PID $BY_PID."
else
         "$ECHO" -e "ERROR!\n"
         "$ECHO" "An error occured! Barnyard is not running!"
         exit 1
fi

Regards,
Edin

Patrick S. Harper wrote:

> There is a file called S99snort in the contrib dir where you uncompressed
> the snort source files.  Copy that to /etc/init.d and create a symlink in
> the run levels you want to run it in.  For barnyard I just modified the
> snort init script, or you can just put it in rc.local (it would be better to
> use a script though) 
> 
> 
> 
> 
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
> 
> www.ntsug.org - Snort Users Group
> 
> "If there is no light at the end of the tunnel, get down there and light the
> damn thing yourself!"
>  
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Mike Cohen
> Sent: Tuesday, July 06, 2004 9:34 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort/Barnyard startup script
> 
> Hello, 
> 
> Im fairly new to LInux, and have been tasked with building a snort sensor
> for our network.
> 
> I have Suse 9 , snort 2.12 with  Barnyard 0.2.0 and mysql up and running. 
> 
> None of the services (apache/mysql/barnyard/snort) are running when I start
> the server.
> 
> I see that I can add apache and mysql to the various runlevels using Yast,
> but Im not quite sure how exactly to script the startup of snort and
> barnyard.
> 
> Ive seen references to snortd, but I cant seem to find any definitive
> references to make snort a Daemon, other than the command line switch which
> would mean Id have to have it in a script somewhere.
> 
> I have no experience with startup scripting of any kind other than dumping
> one liners in rc.local.
> 
> I see that startup scripts would go in the appropriate runlevel folder, but
> is a startup script as simple as just typing in the  snort start command
> with the proper switches, saving it a s afile and dumping it in the right
> rc.3, and
> rc.5 directories? From what I can gather there is more to it, and it looks
> like it involves some C coding (which I dont know).
> 
> Can somone point me to the right direction? all the books mention using some
> runlevel editor tool, but that doesnt seem to apply to snort, since its not
> a distro installed service.
> 
> any help or insight appreciated.
> thanks.
> 
> Mike C.
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
> defense, top technical experts, no vendor pitches, unmatched networking
> opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>  
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>  
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Edin Dizdarevic
Networking Development
System Developer

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic at ...7509...
URL     http://www.interActive-Systems.de/security




More information about the Snort-users mailing list