NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-07

Re: [Snort-users] snort/Barnyard startup script

From: Edin Dizdarevic (edin.dizdarevicinterActive-Systems.de)
Date: Wed Jul 07 2004 - 07:02:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

this is the way I have it added in my script, maybe u can use it
(remember to adopt it for your system):

...
################################################################################
# General constants

#
# Snort binary
SNORT="/usr/local/bin/snort"
BY="/usr/local/bin/barnyard"
PIDOF="/sbin/pidof"
ECHO="/bin/echo"
RM="/bin/rm"
KILL="/bin/kill"
SLEEP="/bin/sleep"
#
#
################################################################################

################################################################################
# Barnyard constants
#
# Barnyard configuration file
BY_CFG="/etc/snort/barnyard.conf"

# Spoolfile, the file where Snort is logging the alerts. Must be same as in
# Snort configuration file. The appended time is detected automatically
by BY.
BY_SPOOL="/var/log/snort/unified.log"

# Path to the sid-msg.map file. The file where the reference to the specific
# vulnerabilities is stored so we can find further information on alerts.
SID="/etc/snort/sid-msg.map"

# Path to the "waldo" file. That is, where Barnyard will save the actual
state.
# If BY has been restarted, it will not try to log the alerts already being
# logged.
BY_WALDO="/var/log/snort/waldo.barnyard"

#
#
################################################################################

...

# Starting Barnyard...
$ECHO "Starting Barnyard logging facility..."

# Find out if Snort is already running
BY_PID=$($PIDOF "$BY")

if [ -z "$BY_PID" ]
then
         "$ECHO" "No Barnyard instances available!"
         "$ECHO" "Continuing and removing old pidfiles if there..."
         # delete old pidfiles if there
         "$RM" -f /var/run/by.pid > /dev/null 2>&1
else
         # BY instance(s) found
         "$ECHO" "Barnyard already running!"
         "$ECHO" "Please call "stop" or "restart" first!"
         # Error
         exit 1
fi

# No BY instances running and no old pidfiles there

"$ECHO" "Starting Barnyard now..."
"$BY" -c "$BY_CFG" -f "$BY_SPOOL" -s "$SID" -w "$BY_WALDO"
# wait a second or two...
"$SLEEP" 2

BY_PIDFILE=$(cat /var/run/by.pid)
BY_PID=$($PIDOF $BY)

if [ ! -z "$BY_PIDFILE" -a ! -z "$BY_PID" ]
then
         $ECHO "Barnyard running now with PID $BY_PID."
else
         "$ECHO" -e "ERROR!\n"
         "$ECHO" "An error occured! Barnyard is not running!"
         exit 1
fi

Regards,
Edin

Patrick S. Harper wrote:

> There is a file called S99snort in the contrib dir where you uncompressed
> the snort source files. Copy that to /etc/init.d and create a symlink in
> the run levels you want to run it in. For barnyard I just modified the
> snort init script, or you can just put it in rc.local (it would be better to
> use a script though)
>
>
>
>
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
>
> www.ntsug.org - Snort Users Group
>
> "If there is no light at the end of the tunnel, get down there and light the
> damn thing yourself!"
>
> -----Original Message-----
> From: snort-users-adminlists.sourceforge.net
> [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Mike Cohen
> Sent: Tuesday, July 06, 2004 9:34 PM
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] snort/Barnyard startup script
>
> Hello,
>
> Im fairly new to LInux, and have been tasked with building a snort sensor
> for our network.
>
> I have Suse 9 , snort 2.12 with Barnyard 0.2.0 and mysql up and running.
>
> None of the services (apache/mysql/barnyard/snort) are running when I start
> the server.
>
> I see that I can add apache and mysql to the various runlevels using Yast,
> but Im not quite sure how exactly to script the startup of snort and
> barnyard.
>
> Ive seen references to snortd, but I cant seem to find any definitive
> references to make snort a Daemon, other than the command line switch which
> would mean Id have to have it in a script somewhere.
>
> I have no experience with startup scripting of any kind other than dumping
> one liners in rc.local.
>
> I see that startup scripts would go in the appropriate runlevel folder, but
> is a startup script as simple as just typing in the snort start command
> with the proper switches, saving it a s afile and dumping it in the right
> rc.3, and
> rc.5 directories? From what I can gather there is more to it, and it looks
> like it involves some C coding (which I dont know).
>
> Can somone point me to the right direction? all the books mention using some
> runlevel editor tool, but that doesnt seem to apply to snort, since its not
> a distro installed service.
>
> any help or insight appreciated.
> thanks.
>
> Mike C.
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
> defense, top technical experts, no vendor pitches, unmatched networking
> opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.715 / Virus Database: 471 - Release Date: 7/4/2004
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--
Edin Dizdarevic
Networking Development
System Developer

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon +49-(0)30 69 004-123
fax +49-(0)30 69 004-101
mail edin.dizdarevicinterActive-Systems.de
URL http://www.interActive-Systems.de/security

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]