[Snort-users] Snort Startup Script

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Apr 19 08:21:41 EDT 2005

Actually, the ability to start/run multiple instances of Snort can be

For example, instance 1 can be you standard Snort with all of the
default rules etc. logging to your standard log database.
But instance 2 can be a specially crafted instance of Snort, using a
different snort.conf looking for a special packet type and perhaps
logging in a different way.

And of course, for those of us with multiple NICs on our Snort server,
running multiple instances of Snort, 1 for each NIC, is a requirement.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul
Sent: Monday, April 18, 2005 7:04 PM
To: dogbert at ...11664...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Startup Script

--On Monday, April 18, 2005 03:21:08 PM -0700 dogbert at ...11664...
># !/bin/bash
># $Id: S99snort,v 1.1 2001/12/18 22:14:37 cazz Exp $
># /etc/init.d/snort : start or stop the SNORT Intrusion Database System
># Written by Lukasz Szmit <ptashek at ...8563...>
># Configuration
># set config file & path to snort executable
> SNORT_PATH=/usr/local/bin
># CONFIG=/usr/local/share/snort/snort.conf
> CONFIG=/usr/local/etc/snort.conf
># set interface
> IFACE=eth1
># set GID/Group Name
> SNORT_GID=nobody
># other options
> OPTIONS="-D -b"
># End of configuration
> test -x $SNORT_PATH/snort || exit 0
># is snort already running, if so, exit...
> case "$1" in
>      start)
># check to see if snort is already running, if so, exit...
>         if [ -e /var/run/snort* ]; then
>             echo Snort already running...exiting...
>             exit 0
>         fi
>         echo "Starting Intrusion Database System: SNORT"
>         $SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS
>         if [ "`pidof $SNORT_PATH/snort`" ]; then
>                 echo "SNORT is up and running!"
>         else
>                 exit 0
>         fi
>         echo -n "."
>         ;;
> I only posted up thru the start) section, but my question becomes, is
> this the  correct way to determine if snort is already running, or do
> other readers have  a better idea or way to do this?
This does nothing except verify that an executable file named snort
in /usr/local/bin.  If you want to test to see if snort is running, you 
have to look at running processes.

Something along these lines should work (but not tested, so YMMV):

PID=`ps auxw | grep $SNORT_PATH/snort | grep -v grep | awk '{print $2}'`
if [ $PID > 0 ]; then
  echo "Snort is already running"
  exit 1

You *could* check for the existence of the pidfile, but that's not
a guarantee that the process is actually running.  Safer to look at the 
processes themselves.  Also, if you have pgrep on your system, you can
that instead:

PID=`pgrep snort`

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime
new features, or free trial, at:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list