[Snort-users] Ubuntu 8 /etc/rc.local issue

Tommie Giles tgiles at ...11827...
Fri Aug 7 17:20:00 EDT 2009


Yep, you can run multiple instances of Snort, as long as  there's one
per interface.

For me, I took the lazy route and have this in my /etc/init.d/snort:

for i in `/sbin/ifconfig | grep eth | /usr/bin/awk ' { print $1 } '`
do
/usr/local/bin/snort -i $i -c /etc/snort/snort.conf -D -F
/etc/snort/excludes.conf &
echo "starting snort for $i with PID $!"
done

This will grab a list of all running interfaces (but not bonded ones,
which are normally named bond0, bond1, etc over here), and run Snort
against them.

One stop shopping.

tom

On Fri, Aug 7, 2009 at 4:01 PM, Ams<ams.sec at ...11827...> wrote:
>  I should be able to run 2 instances of Snort (one for each interface) and
> Barnyard in Daemon mode? Is that correct? Thanks for your time.
>
> On Fri, Aug 7, 2009 at 3:31 PM, Michael Boman <michael.boman at ...11827...>
> wrote:
>>
>> Run snort in daemon mode, your system is still waiting for the snort
>> process to complete.
>>
>> Best regards
>> Michael Boman
>>
>> On Fri, Aug 7, 2009 at 22:10, Ams <ams.sec at ...11827...> wrote:
>>>
>>> Hi Guys,
>>>
>>> I am trying to run snort at boot time automatically. Using Ubuntu 8-
>>> Snort, barnyard compiled from source, 3 interfaces in total- 2 interfaces
>>> for NIDS and 1 for management. I edited the /etc/rc.local file and added the
>>> following lines:
>>>
>>> Contents of /etc/rc.local
>>> ------------------------------------------------------------------
>>> ifconfig eth0 up promisc
>>> /usr/local/bin/snort -c /etc/snort.conf -i eth0
>>> sudo /usr/local/bin/barnyard2 -c /etc/snort/barn2.conf -G
>>> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
>>> snort.log -w /var/log/snort/barnyard.waldo
>>>
>>> ifconfig eth1 up promisc
>>> /usr/local/bin/snort -c /etc/snort.conf -i eth1
>>> sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G
>>> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
>>> snort.log -w /var/log/snort/barnyard.waldo
>>> ------------------------------------------------------------------------
>>>
>>> When I do ps -aux|grep snort on startup, all I see running is
>>> /usr/local/bin/snort -c /etc/snort.conf -i eth0. Why didn't the remaining
>>> commands execute? Will appreciate your input. Thanks a bunch.
>>>
>>> Ams
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>> --
>> http://michaelboman.org - Security Blog & Wiki
>
>
>
> --
> Amit Bakhshi
> Associate of (ISC)2 in CISSP, GPEN, GCIH, GWAS, GSEC, GISF, SSP-GHD, MCP,
> SCJA
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Tommie Giles

"If all else fails, immortality can always be assured by spectacular error."




More information about the Snort-users mailing list