Snort mailing list archives
Snort & Barnyard init.d script for Debian
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Fri, 19 Mar 2010 09:46:20 -0400
Howdy fellow Snortheads,
I apologize for the long post this morning, and I really hope I am not reinventing the wheel with this, but hopefully I
am helping somebody out there. I retasked the /etc/init.d/snortd script for Fedora over to Debian and included some
changes to control barnyard as well (this also includes a new section that I dropped into the /etc/sysconfig/snort
file, so I will start here with just the additional lines to the sysconfig file:
#################################################################################
#Options below are for helping snortd start Barnyard2
###Note: If using multiple interfaces use barnyard2.ethX.conf for file names.
#Directory containing the barnyard.conf file (no trailing slash).
BARN_CONF=/etc/snort
#Location of gen-msg.map
GEN_MSG=/etc/snort/gen-msg.map
#Location of sid-msg.map
SID_MSG=/etc/snort/sid-msg.map
#logfile prefix; ie snort.u2
ALERTFILE=snort.u2
#name of Waldo file
WALDO=barnyard2.waldo
And below is the reworked Debian version of the snortd script with additions to control barnyard as well:
#!/bin/sh
# $Id$
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that \
# currently detects more than 1100 host and network \
# vulnerabilities, portscans, backdoors, and more.
#
# Source function library. - COMMENTED OUT, NOT USED IN DEBIAN
#. /etc/rc.d/init.d/functions
# Source the local configuration file
. /etc/sysconfig/snort
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
##ADD the following vars:
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi
if [ "$CONF"X = "X" ]; then
CONF="-c /etc/snort/snort.conf"
else
CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth0"
else
INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
LOGDIR=/var/log/snort
fi
# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
SYSLOG=/var/log/messages
fi
if [ "$SECS"X = "X" ]; then
SECS=5
fi
if [ ! "$BPFFILE"X = "X" ]; then
BPFFILE="-F $BPFFILE"
fi
######For Barnyard:
#The directory where your barnyard conf(s) live. See the program calls below for expected name formatting.
if [ "BARN_CONF"X = "X" ]; then
BARN_CONF=/etc/snort
fi
#location & name of gen-msg map
if [ "$GEN_MSG"X = "X" ]; then
GEN_MSG=/etc/snort/gen-msg.map
fi
#location & name of sid-msg map
if [ "$SID_MSG"X = "X" ]; then
SID_MSG=/etc/snort/sid-msg.map
fi
#name of alert files
if [ "$ALERTFILE"X = "X" ]; then
ALERTFILE=snort.u2
fi
#name of waldo file
if [ "$WALDO"X = "X" ]; then
WALDO=barnyard2.waldo
fi
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd $LOGDIR
if [ "$INTERFACE" = "-i ALL" ]; then
for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
/usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G $GEN_MSG
-S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP
done
else
# check if more than one interface is given
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
for i in `echo $INTERFACE | sed s/"-i "//`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
/usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.$i.conf -G
$GEN_MSG -S $SID_MSG -d $LOGDIR/$i -f $ALERTFILE -w $LOGDIR/$i/$WALDO -u $USER -g $GROUP
done
else
# Run with a single interface (default)
/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER
-g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
/usr/local/bin/barnyard2 -D -c $BARN_CONF/barnyard2.conf -G $GEN_MSG -S $SID_MSG
-d $LOGDIR -f $ALERTFILE -w $$LOGDIR/$WALDO -u $USER -g $GROUP
fi
fi
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
kill `pidof snort`
kill `pidof barnyard2`
rm -f /var/lock/snort
echo
;;
reload)
echo "Reloading Snort: "
kill -s HUP `pidof snort`
;;
restart)
$0 stop
$0 start
;;
condrestart)
[ -e /var/lock/snort ] && $0 restart
;;
stats)
TC=125 # Trailing context to grep
SNORTNAME='snort' # Process name to look for
if [ ! -x "/bin/pidof" ]; then
echo "/bin/pidof not present, sorry, I cannot go on like this!"
exit 1
fi
#Grab Snort's PID
PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
if [ ! -n "$PID" ]; then # if we got no PID then:
echo "No PID found: ${SNORTNAME} must not running."
exit 2
fi
echo ""
echo "*******"
echo "WARNING: This feature is EXPERIMENTAL - please report errors!"
echo "*******"
echo ""
echo "You can also run: $0 stats [long | opt]"
echo ""
echo "Dumping ${SNORTNAME}'s ($PID) statistics"
echo "please wait..."
# Get the date and tell Snort to dump stats as close together in
# time as possible--not 100%, but it seems to work.
startdate=`date '+%b %e %H:%M:%S'`
# This causes the stats to be dumped to syslog
kill -USR1 $PID
# Sleep for $SECS secs to give syslog a chance to catch up
# May need to be adjusted for slow/busy systems
sleep $SECS
if [ "$2" = "long" ]; then # Long format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
grep snort.*:
elif [ "$2" = "opt" ]; then # OPTimize format
# Just show stuff useful for optimizing Snort
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"
else # Default format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
grep snort.*: | cut -d: -f4-
fi
;;
*)
echo "Usage: $0 {start|stop|reload|restart|condrestart|stats (long|opt)}"
exit 2
esac
exit 0
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & Barnyard init.d script for Debian Crook, Parker (Mar 19)
- Re: Snort & Barnyard init.d script for Debian Crook, Parker (Mar 19)