[Snort-users] Startup Script (init.d)

test engineer test12524 at ...11827...
Wed Nov 5 09:56:39 EST 2014


Robert,
Thanks for your time and providing your script.  I'm debugging the script
provided by SNORT and may incorporate some of your code.
I'll repost if there is something I can share.

On Fri, Oct 31, 2014 at 10:00 AM, Robert Millott <
robm at ...16885...> wrote:

> Here is a copy of my script. May not be the best thing possible, but it
> works for us.  If anyone has suggestions on how to improve it, Ill
> definitely take them.
>
> #!/bin/sh
> #get the interface that doesn't have an ipv4 address assigned to it.
> Assume thats the sniffing interface
> export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" && $1!="--"
> && $1!="inet" {print $1}' | sed 's/:$//
>
>            ')
> ifconfig $iface up
> if [ -f /etc/snort/pid1/snort*.pid ]
>      then
>         echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid
> "\n"
>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
> --pidfile /etc/snort/pid1/snort_$iface.pid
>         if [ $? -gt 0 ]
>         then
>                 echo "start-stop-daemon failed. See above for reason"
>                 sleep 15
>         fi
> fi
>
> if [ -f /etc/snort/pid1/barnyar2.pid ]
> then
>         echo -d "Shutting down Barnyard "
> /etc/snort/pid1/barnyard2_$iface.pid "\n"
>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
> --pidfile /etc/snort/pid1/barnyard2_$iface.
>
>                pid
>         if [ $? -gt 0 ]
>                 then
>                 echo "start-stop-daemon failed. See above for reason"
>                 sleep 15
>         fi
> fi
>
> if [ -f /etc/snort/pid2/snort*.pid ]
> then
>         echo -e "Shutting down second instance of snort"
> /etc/snort/pid2/snort_$iface.pid "\n"
>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
> --pidfile /etc/snort/pid1/barnyard2_$iface.
>
>                pid
>         if [ $? -gt 0 ]
>         then
>                 echo "start-stop-daemon failed. See above for reason"
>                 sleep 15
>         fi
> fi
> if [ -f /etc/snort/pid1/barnyar2.pid ]
> then
>         echo -d "Shutting down Barnyard "
> /etc/snort/pid2/barnyard2_$iface.pid "\n"
>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
> --pidfile /etc/snort/pid2/barnyard2_$iface.pid
>         if [ $? -gt 0 ]
>         then
>                 echo "start-stop-daemon failed. See above for reason"
>                 sleep 15
>         fi
> fi
> echo "ensuring all snort and barnyard processes are killed"
> killall snort
> killall barnyard2
> rm -rf /etc/snort/pid1/barnyard*
> echo -e "Starting Snort\n"
> /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1 --daq
> pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F
> /etc/snort/bpf.filter -D
> if [ $? -gt 0 ]
> then
>         tail /var/log/messages -n 200 | grep snort | grep ERROR
>         echo "starting snort failed.  See above for reason"
>         sleep 15
> fi
> echo -e "starting Barnyard\n"
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path
> /etc/snort/pid1 -D
> if [ $? -gt 0 ]
> then
>         tail /var/log/messages -n 200 | grep barnyard| grep ERROR
>         echo "starting barnyard failed.  See above for reason"
>         sleep 15
> fi
> #if a second bpf filter exists, run a second instance of snort using
> second bpf filter
> if [ -f /etc/snort/bpf_*.filter ]
> then
>         echo -e "Starting second instance of Snort\n"
>         /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path
> /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i
> $iface -F /etc/snort/bpf_*.filter -D
>         echo -e "starting second instance of Barnyard\n"
>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2
> -I --pid-path /etc/snort/pid2 -D
> fi
>
>
> On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 at ...11827...>
> wrote:
>
>> Greetings, I'm evaluating Snort in a lab environment and need some
>> assistance creating an init.d startup script. I have attempted to use the
>> one provided by the Snort community but can't get it to work.
>>
>> I have a Dell R720xd running CentOS 6.5 minimal install. Running 8 daemon
>> mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface with
>> 2-tuple Hash Load Balancing config. So far the testing has gone very well.
>> Just need to setup an init.d to restart everything in case of power
>> failure. Any guidance is appreciated.
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141105/a048567b/attachment.html>


More information about the Snort-users mailing list