[Snort-users] Multiple Instances of Snort and Barnyard2 Startup script

beenph beenph at ...11827...
Tue Sep 4 17:24:39 EDT 2012


On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
> In case anyone is interested, I modified a start script I found on a
> forum somewhere to start multiple instances of snort and barnyard2. My
> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
> last four cores in my 16 core system listening to a single span port
> from two Juniper switches. I also attached the configs for snort and
> barnyard2.
>

Make sure you have multiple by2 configuration with a different instance name
so you do run into cocurency issue if you log to database.

-elz


> #! /bin/sh
>  #
> ### BEGIN INIT INFO
>
> #---------- begin section for chkconfig support -----
> # chkconfig: - 93 83
> # description: Snort and Barnyard2 Sniffer
> # processname: snortbarn
> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
> # pidfile: /var/run/snort/
> #---------- end section for chkconfig support -----
>
> #---------- begin section for debian dynamic start scripts -----
> # Provides: snortbarn
>
> # Required-Start: $remote_fs $syslog mysql
>
> # Required-Stop: $remote_fs $syslog
> # Default-Start: 2 3 4 5
> # Default-Stop: 0 1 6
>
> # X-Interactive: true
>
> # Short-Description: Start Snort and Barnyard
> #--------- end section for debian dynamic start scripts -----
> ### END INIT INFO
>
> #/lib/init/vars.sh
> /lib/lsb/init-functions
> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
>
> do_start() {
>         #log_daemon_msg "Starting Snort and Barnyard" ""
>
>         # Make sure mysql has finished starting
>
>         ps_alive=0
>         while [ $ps_alive -lt 1 ];
>         do
>         pidfile=/var/run/mysqld/mysqld.pid
>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
> then ps_alive=1; fi
>         #echo "sleeping" >&2
>         sleep 1
>         done
>        # numbers in COUNTER represent the core to which snort binds itself
>         for COUNTER in 12 13 14 15; do
>         /usr/local/bin/snort -D -u root -g snort -c
> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
> -D
>         #log_end_msg 0
>         done
>
>         return 0
> }
>
> do_stop() {
>         #log_daemon_msg "Stopping Snort and Barnyard" ""
>         kill $(pidof snort) 2> /dev/nul
>         kill $(pidof barnyard2) 2> /dev/nul
>         sleep 5
>         #log_end_msg 0
>         return 0
> }
>
> #do_status() {
> #       # some lines to display status of running snort processes
> #
> #}
>
> case "$1" in
>   start)
>         do_start
>  ;;
>   stop)
>         do_stop
>  ;;
>   restart)
>         do_stop
>         sleep 10
>         do_start
>  ;;
>   status)
>     status snort
>     status barnyard2
>     RETVAL=$?
>  ;;
>  *)
>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
>     exit 3
>  ;;
> esac
> exit 0
>
>
> --
> _____________________________________
>  ---- In the end Nerds will Rule the World ----
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list