Snort mailing list archives
Improved snortd init script
From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 23 May 2003 20:31:17 -0400 (EDT)
I was messing around with kill -USR1 {snort} and wondering why that was not in
the init script wrapper, so I added it. It works on my RedHat 8.0 box, but
I've done no other testing.
What do you think? Snort.org/Sourcefire guys: hopefully this will make the
stats a little easier for those just moving to UNIX (esp. snortd stats opt).
Any suggestions for improvement (it's a bit ugly right now)?
Later,
JP
I hope the formatting survives my mailer...
----- Cut Here -----
#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave () linuxsecurity com>
# - initial version
#
# July 08, 2000 Dave Wreski <dave () guardiandigital com>
# - added snort user/group
# - support for 1.6.2
# July 31, 2000 Wim Vandersmissen <wim () bofh st>
# - added chroot support
# May 23, 2003 JP Vossen <jp () jpsdomain org>
# - added stats (long|opt) option
# Source function library.
. /etc/rc.d/init.d/functions
# Specify your network interface here
INTERFACE=eth0
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd /var/log/snort
daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
stats | statistics)
tc=100 # Trailing context to grep
secs=3 # Seconds to wait for syslog
syslog='/var/log/messages'
# Grab Snort's PID
pid=`pidof -o $$ -o $PPID -o %PPID -x snort`
echo "Dumping Snort's ($pid) statistics to screen and $syslog"
echo "please wait $secs seconds..."
# Get the date and tell Snort to dump stats as close together in
# time as possible--100%, but it seems to work.
startdate=`date '+%b %e %H:%M:%S'` && kill -USR1 $pid
# Sleep for $secs secs to give syslog a chance to catch up
sleep $secs # May need to be adjusted for slow/busy systems
if [ "$2" = "long" ]; then # Long format
egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \
grep snort:
elif [ "$2" = "opt" ]; then # OPTimize format
# Just show stuff useful for optimizing Snort
egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \
egrep "snort: Snort analyzed |snort: dropping|emory .aults:"
else # Default format
egrep -A $tc "^$startdate .* snort: ={79}" $syslog | \
grep snort: | cut -d: -f4-
fi
;;
*)
echo "Usage: $0 {start|stop|restart|status|stats (long|opt)}"
exit 1
esac
exit 0
----- Cut Here -----
------------------------------|:::======|--------------------------------
JP Vossen, CISSP |:::======| jp () jpsdomain org
My Account, My Opinions |=========| http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."
-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Improved snortd init script JP Vossen (May 23)