[Snort-users] Ubuntu 8 /etc/rc.local issue

Ams ams.sec at ...11827...
Fri Aug 7 18:42:59 EDT 2009


Awesome. Works like a charm. Thanks for all you help guys.

On Fri, Aug 7, 2009 at 4:20 PM, Tommie Giles <tgiles at ...11827...> wrote:

> Yep, you can run multiple instances of Snort, as long as  there's one
> per interface.
>
> For me, I took the lazy route and have this in my /etc/init.d/snort:
>
> for i in `/sbin/ifconfig | grep eth | /usr/bin/awk ' { print $1 } '`
> do
> /usr/local/bin/snort -i $i -c /etc/snort/snort.conf -D -F
> /etc/snort/excludes.conf &
> echo "starting snort for $i with PID $!"
> done
>
> This will grab a list of all running interfaces (but not bonded ones,
> which are normally named bond0, bond1, etc over here), and run Snort
> against them.
>
> One stop shopping.
>
> tom
>
> On Fri, Aug 7, 2009 at 4:01 PM, Ams<ams.sec at ...11827...> wrote:
> >  I should be able to run 2 instances of Snort (one for each interface)
> and
> > Barnyard in Daemon mode? Is that correct? Thanks for your time.
> >
> > On Fri, Aug 7, 2009 at 3:31 PM, Michael Boman <michael.boman at ...11827...>
> > wrote:
> >>
> >> Run snort in daemon mode, your system is still waiting for the snort
> >> process to complete.
> >>
> >> Best regards
> >> Michael Boman
> >>
> >> On Fri, Aug 7, 2009 at 22:10, Ams <ams.sec at ...11827...> wrote:
> >>>
> >>> Hi Guys,
> >>>
> >>> I am trying to run snort at boot time automatically. Using Ubuntu 8-
> >>> Snort, barnyard compiled from source, 3 interfaces in total- 2
> interfaces
> >>> for NIDS and 1 for management. I edited the /etc/rc.local file and
> added the
> >>> following lines:
> >>>
> >>> Contents of /etc/rc.local
> >>> ------------------------------------------------------------------
> >>> ifconfig eth0 up promisc
> >>> /usr/local/bin/snort -c /etc/snort.conf -i eth0
> >>> sudo /usr/local/bin/barnyard2 -c /etc/snort/barn2.conf -G
> >>> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
> >>> snort.log -w /var/log/snort/barnyard.waldo
> >>>
> >>> ifconfig eth1 up promisc
> >>> /usr/local/bin/snort -c /etc/snort.conf -i eth1
> >>> sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G
> >>> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f
> >>> snort.log -w /var/log/snort/barnyard.waldo
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> When I do ps -aux|grep snort on startup, all I see running is
> >>> /usr/local/bin/snort -c /etc/snort.conf -i eth0. Why didn't the
> remaining
> >>> commands execute? Will appreciate your input. Thanks a bunch.
> >>>
> >>> Ams
> >>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >>> 30-Day
> >>> trial. Simplify your report design, integration and deployment - and
> >>> focus on
> >>> what you do best, core application coding. Discover what's new with
> >>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >>
> >> --
> >> http://michaelboman.org - Security Blog & Wiki
> >
> >
> >
> > --
> > Amit Bakhshi
> > Associate of (ISC)2 in CISSP, GPEN, GCIH, GWAS, GSEC, GISF, SSP-GHD, MCP,
> > SCJA
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> --
> Tommie Giles
>
> "If all else fails, immortality can always be assured by spectacular
> error."
>



-- 
Ams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090807/e42f1ccd/attachment.html>


More information about the Snort-users mailing list