[Snort-users] Multiple Instances of Snort and Barnyard2 Startup script

Jack kingofnerds at ...11827...
Tue Sep 4 17:09:20 EDT 2012


In case anyone is interested, I modified a start script I found on a
forum somewhere to start multiple instances of snort and barnyard2. My
setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
last four cores in my 16 core system listening to a single span port
from two Juniper switches. I also attached the configs for snort and
barnyard2.

#! /bin/sh
 #
### BEGIN INIT INFO

#---------- begin section for chkconfig support -----
# chkconfig: - 93 83
# description: Snort and Barnyard2 Sniffer
# processname: snortbarn
# config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
# pidfile: /var/run/snort/
#---------- end section for chkconfig support -----

#---------- begin section for debian dynamic start scripts -----
# Provides: snortbarn

# Required-Start: $remote_fs $syslog mysql

# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6

# X-Interactive: true

# Short-Description: Start Snort and Barnyard
#--------- end section for debian dynamic start scripts -----
### END INIT INFO

#/lib/init/vars.sh
/lib/lsb/init-functions
. /etc/rc.d/init.d/functions # added to support the status function in CentOS

do_start() {
        #log_daemon_msg "Starting Snort and Barnyard" ""

        # Make sure mysql has finished starting

        ps_alive=0
        while [ $ps_alive -lt 1 ];
        do
        pidfile=/var/run/mysqld/mysqld.pid
        if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
then ps_alive=1; fi
        #echo "sleeping" >&2
        sleep 1
        done
       # numbers in COUNTER represent the core to which snort binds itself
        for COUNTER in 12 13 14 15; do
        /usr/local/bin/snort -D -u root -g snort -c
/etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
/var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
        /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
/etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
-D
        #log_end_msg 0
        done

        return 0
}

do_stop() {
        #log_daemon_msg "Stopping Snort and Barnyard" ""
        kill $(pidof snort) 2> /dev/nul
        kill $(pidof barnyard2) 2> /dev/nul
        sleep 5
        #log_end_msg 0
        return 0
}

#do_status() {
#       # some lines to display status of running snort processes
#
#}

case "$1" in
  start)
        do_start
 ;;
  stop)
        do_stop
 ;;
  restart)
        do_stop
        sleep 10
        do_start
 ;;
  status)
    status snort
    status barnyard2
    RETVAL=$?
 ;;
 *)
      echo "Usage: snort-barn {start|stop|restart|status}" >&2
    exit 3
 ;;
esac
exit 0


--
_____________________________________
 ---- In the end Nerds will Rule the World ----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barnyard2.conf
Type: application/octet-stream
Size: 8285 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120904/9dd76789/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 24906 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120904/9dd76789/attachment-0001.obj>


More information about the Snort-users mailing list