[Snort-users] Snort Startup Script

Paul Schmehl pauls at ...6838...
Tue Apr 19 09:42:40 EDT 2005


--On Tuesday, April 19, 2005 11:11:27 AM -0400 "Briggs, Bruce" 
<Bruce.Briggs at ...13183...> wrote:

> Actually, the ability to start/run multiple instances of Snort can be
> helpful.
>
> For example, instance 1 can be you standard Snort with all of the
> default rules etc. logging to your standard log database.
> But instance 2 can be a specially crafted instance of Snort, using a
> different snort.conf looking for a special packet type and perhaps
> logging in a different way.
>
> And of course, for those of us with multiple NICs on our Snort server,
> running multiple instances of Snort, 1 for each NIC, is a requirement.
>
And if that is what you want to do, don't use my example to find the 
process, because it will find *all* of them.  I'm not sure what will happen 
then.  I surmise that it will simply take the last PID it finds, but I 
haven't tested that.

In a case like that, you would want to grep for something unique to that 
process.  E.g.

PID=`ps auxw | grep snort1 | grep -v grep | awk '{print $2}'`

or

PID=`ps auxw | grep snort | grep -v grep | grep snort1.conf | awk '{print 
$2}'`

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list