[Snort-users] Snorby SBSA

Castle, Shane scastle at ...14946...
Fri Aug 27 13:22:55 EDT 2010


Yep. Mine kills and restarts.

Also, I did a bit of research into Debian startup scripts and it's the
same as Solaris (blech), with /etc/rcn.d directories and K*/S* entries.
Pretty basic stuff. My script would need a little modification.

Since there is some interest:
--------------------8<--------------------------------------------
#!/bin/bash
#
# snort         This script starts and stops snort
#
# chkconfig: - 70 30
# description: Snort IDS
# processname: snort
# config: /etc/snort/snort.conf

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACES="eth1 eth2"
CONFBASE="/etc/snort/snort"

# Looking for BASE install
[ -f /usr/local/bin/$BASE ] || exit 0

# Location of netconfig
. /etc/sysconfig/network

# Verify that network is available
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
export PCAP_FRAMES=max PCAP_MEMORY=max
# Snort/BASE Call-out
case "$1" in
    start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
            echo -n $"$BASE: already running"
            echo ""
            exit $RETVAL
        fi
        echo -n "Starting snort services: "
        for intf in $INTERFACES; do
            /usr/local/bin/$BASE -i $intf -c ${CONFBASE}-${intf}.conf
$DAEMON --pid-path /var/snort/run
        done
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
    stop)
        echo -n "Shutting down snort services: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
    restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
    status)
        status $BASE
        RETVAL=$?
        ;;
    *)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL
--------------------8<--------------------------------------------

--
Shane Castle
Data Security Mgr, Boulder County IT
GSEC GCIH
303-441-3953


-----Original Message-----
From: JJ Cummings [mailto:cummingsj at ...11827...] 
Sent: Friday, August 27, 2010 11:00
To: Castle, Shane
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snorby SBSA

As a side note, when you are running SO rules and update them, you must
stop the pid and start again, a HUP will not correctly reload the binary
rules.

Sent from the iRoad

On Aug 27, 2010, at 8:51, "Castle, Shane" <scastle at ...14946...>
wrote:

> I have a script for use with the "service" command (and "chkconfig")
in
> RHEL5. I'm not familiar with Debian; dunno if it'd transport well.
Also
> it's customized for two sensors on one box (must start multiple snort
> instances). I can post on the list or send it if you like.
> 
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> GSEC GCIH
> 303-441-3953
> 
> -----Original Message-----
> From: Christopher A. Libby [mailto:clibby at ...14973...] 
> Sent: Friday, August 27, 2010 09:38
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snorby SBSA
> 
> I've been using the Snorby SBSA for a few days now, and I must say I
> really like the interface and the easy setup.  I do have a few issues
> that I'd like to manually resolve if anyone has any suggestions.
> 
> First, I'd like to be able to utilized SO rules but Oinkmaster doesn't
> handle them.  I've looked at Pulled Pork on a previous incarnation of
> this machine but I wasn't very successful in getting it to work with
> both VRT and ET rules.  Any suggestions on what else I could use?
> 
> Second, the snort init script simply starts snort - it doesn't allow
for
> start/stop/restart.  I'd like to just restart snort to reload the
rules,
> but one process gets stuck (no permission to the PID file) so I have
to
> reboot the server.  Does anyone have a good Debian init script for
> snort?
> 
> Thanks! - Chris
> 
>
------------------------------------------------------------------------
> ------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook
users
> 
> worldwide. Take advantage of special opportunities to increase revenue
> and 
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>
------------------------------------------------------------------------
------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook
users 
> worldwide. Take advantage of special opportunities to increase revenue
and 
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list