[Snort-users] Multiple Instances of Snort and Barnyard2 Startup script

Jack kingofnerds at ...11827...
Fri Sep 7 10:44:03 EDT 2012


Yes, you are correct there, however I only have one interface on my
snort box which I am monitoring, so I didn't run into that issue. I
will keep it in mind for future applications.

On Fri, Sep 7, 2012 at 8:51 AM, beenph <beenph at ...11827...> wrote:
> On Fri, Sep 7, 2012 at 8:14 AM, Jack <kingofnerds at ...11827...> wrote:
>> I am successfully using a single barnyard2 configuration by passing
>> the variable " -i snort$COUNTER" in the startup script, this seems to
>> be all that is needed to separate the different instances in the
>> database. I am using mysql and base for the database portion.
>
>
> Mybad you are right on the interface argument But this will affect the way
> sensor are inserted in the sensor table, changing interface name to a
> unique identifier.
>
> I would recommend you to use -i $MONITORINTERFACENAME-$COUNTER instead,
> because if you monitor 4 interface on the same system
> then you could Still encounter $COUNTER collision.
>
> -elz
>
>
>>
>> On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
>>> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
>>>> In case anyone is interested, I modified a start script I found on a
>>>> forum somewhere to start multiple instances of snort and barnyard2. My
>>>> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
>>>> last four cores in my 16 core system listening to a single span port
>>>> from two Juniper switches. I also attached the configs for snort and
>>>> barnyard2.
>>>>
>>>
>>> Make sure you have multiple by2 configuration with a different instance name
>>> so you do run into cocurency issue if you log to database.
>>>
>>> -elz
>>>
>>>
>>>> #! /bin/sh
>>>>  #
>>>> ### BEGIN INIT INFO
>>>>
>>>> #---------- begin section for chkconfig support -----
>>>> # chkconfig: - 93 83
>>>> # description: Snort and Barnyard2 Sniffer
>>>> # processname: snortbarn
>>>> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
>>>> # pidfile: /var/run/snort/
>>>> #---------- end section for chkconfig support -----
>>>>
>>>> #---------- begin section for debian dynamic start scripts -----
>>>> # Provides: snortbarn
>>>>
>>>> # Required-Start: $remote_fs $syslog mysql
>>>>
>>>> # Required-Stop: $remote_fs $syslog
>>>> # Default-Start: 2 3 4 5
>>>> # Default-Stop: 0 1 6
>>>>
>>>> # X-Interactive: true
>>>>
>>>> # Short-Description: Start Snort and Barnyard
>>>> #--------- end section for debian dynamic start scripts -----
>>>> ### END INIT INFO
>>>>
>>>> #/lib/init/vars.sh
>>>> /lib/lsb/init-functions
>>>> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
>>>>
>>>> do_start() {
>>>>         #log_daemon_msg "Starting Snort and Barnyard" ""
>>>>
>>>>         # Make sure mysql has finished starting
>>>>
>>>>         ps_alive=0
>>>>         while [ $ps_alive -lt 1 ];
>>>>         do
>>>>         pidfile=/var/run/mysqld/mysqld.pid
>>>>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
>>>> then ps_alive=1; fi
>>>>         #echo "sleeping" >&2
>>>>         sleep 1
>>>>         done
>>>>        # numbers in COUNTER represent the core to which snort binds itself
>>>>         for COUNTER in 12 13 14 15; do
>>>>         /usr/local/bin/snort -D -u root -g snort -c
>>>> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
>>>> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
>>>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>>>> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
>>>> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
>>>> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
>>>> -D
>>>>         #log_end_msg 0
>>>>         done
>>>>
>>>>         return 0
>>>> }
>>>>
>>>> do_stop() {
>>>>         #log_daemon_msg "Stopping Snort and Barnyard" ""
>>>>         kill $(pidof snort) 2> /dev/nul
>>>>         kill $(pidof barnyard2) 2> /dev/nul
>>>>         sleep 5
>>>>         #log_end_msg 0
>>>>         return 0
>>>> }
>>>>
>>>> #do_status() {
>>>> #       # some lines to display status of running snort processes
>>>> #
>>>> #}
>>>>
>>>> case "$1" in
>>>>   start)
>>>>         do_start
>>>>  ;;
>>>>   stop)
>>>>         do_stop
>>>>  ;;
>>>>   restart)
>>>>         do_stop
>>>>         sleep 10
>>>>         do_start
>>>>  ;;
>>>>   status)
>>>>     status snort
>>>>     status barnyard2
>>>>     RETVAL=$?
>>>>  ;;
>>>>  *)
>>>>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
>>>>     exit 3
>>>>  ;;
>>>> esac
>>>> exit 0
>>>>
>>>>
>>>> --
>>>> _____________________________________
>>>>  ---- In the end Nerds will Rule the World ----
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond. Discussions
>>>> will include endpoint security, mobile security and the latest in malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>>
>> --
>> _____________________________________
>>  ---- In the end Nerds will Rule the World ----



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----




More information about the Snort-users mailing list