[Snort-users] Multiple Instances of Snort and Barnyard2 Startup script

Jack kingofnerds at ...11827...
Fri Sep 7 08:14:02 EDT 2012


I am successfully using a single barnyard2 configuration by passing
the variable " -i snort$COUNTER" in the startup script, this seems to
be all that is needed to separate the different instances in the
database. I am using mysql and base for the database portion.

On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
>> In case anyone is interested, I modified a start script I found on a
>> forum somewhere to start multiple instances of snort and barnyard2. My
>> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
>> last four cores in my 16 core system listening to a single span port
>> from two Juniper switches. I also attached the configs for snort and
>> barnyard2.
>>
>
> Make sure you have multiple by2 configuration with a different instance name
> so you do run into cocurency issue if you log to database.
>
> -elz
>
>
>> #! /bin/sh
>>  #
>> ### BEGIN INIT INFO
>>
>> #---------- begin section for chkconfig support -----
>> # chkconfig: - 93 83
>> # description: Snort and Barnyard2 Sniffer
>> # processname: snortbarn
>> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
>> # pidfile: /var/run/snort/
>> #---------- end section for chkconfig support -----
>>
>> #---------- begin section for debian dynamic start scripts -----
>> # Provides: snortbarn
>>
>> # Required-Start: $remote_fs $syslog mysql
>>
>> # Required-Stop: $remote_fs $syslog
>> # Default-Start: 2 3 4 5
>> # Default-Stop: 0 1 6
>>
>> # X-Interactive: true
>>
>> # Short-Description: Start Snort and Barnyard
>> #--------- end section for debian dynamic start scripts -----
>> ### END INIT INFO
>>
>> #/lib/init/vars.sh
>> /lib/lsb/init-functions
>> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
>>
>> do_start() {
>>         #log_daemon_msg "Starting Snort and Barnyard" ""
>>
>>         # Make sure mysql has finished starting
>>
>>         ps_alive=0
>>         while [ $ps_alive -lt 1 ];
>>         do
>>         pidfile=/var/run/mysqld/mysqld.pid
>>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
>> then ps_alive=1; fi
>>         #echo "sleeping" >&2
>>         sleep 1
>>         done
>>        # numbers in COUNTER represent the core to which snort binds itself
>>         for COUNTER in 12 13 14 15; do
>>         /usr/local/bin/snort -D -u root -g snort -c
>> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
>> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
>> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
>> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
>> -D
>>         #log_end_msg 0
>>         done
>>
>>         return 0
>> }
>>
>> do_stop() {
>>         #log_daemon_msg "Stopping Snort and Barnyard" ""
>>         kill $(pidof snort) 2> /dev/nul
>>         kill $(pidof barnyard2) 2> /dev/nul
>>         sleep 5
>>         #log_end_msg 0
>>         return 0
>> }
>>
>> #do_status() {
>> #       # some lines to display status of running snort processes
>> #
>> #}
>>
>> case "$1" in
>>   start)
>>         do_start
>>  ;;
>>   stop)
>>         do_stop
>>  ;;
>>   restart)
>>         do_stop
>>         sleep 10
>>         do_start
>>  ;;
>>   status)
>>     status snort
>>     status barnyard2
>>     RETVAL=$?
>>  ;;
>>  *)
>>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
>>     exit 3
>>  ;;
>> esac
>> exit 0
>>
>>
>> --
>> _____________________________________
>>  ---- In the end Nerds will Rule the World ----
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----




More information about the Snort-users mailing list