Re: Snorby SBSA

["Castle, Shane" <scastle () bouldercounty org>]

Yep. Mine kills and restarts.

Also, I did a bit of research into Debian startup scripts and it's the
same as Solaris (blech), with /etc/rcn.d directories and K*/S* entries.
Pretty basic stuff. My script would need a little modification.

Since there is some interest:
--------------------8<--------------------------------------------
#!/bin/bash
#
# snort         This script starts and stops snort
#
# chkconfig: - 70 30
# description: Snort IDS
# processname: snort
# config: /etc/snort/snort.conf

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACES="eth1 eth2"
CONFBASE="/etc/snort/snort"

# Looking for BASE install
[ -f /usr/local/bin/$BASE ] || exit 0

# Location of netconfig
. /etc/sysconfig/network

# Verify that network is available
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
export PCAP_FRAMES=max PCAP_MEMORY=max
# Snort/BASE Call-out
case "$1" in
    start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
            echo -n $"$BASE: already running"
            echo ""
            exit $RETVAL
        fi
        echo -n "Starting snort services: "
        for intf in $INTERFACES; do
            /usr/local/bin/$BASE -i $intf -c ${CONFBASE}-${intf}.conf
$DAEMON --pid-path /var/snort/run
        done
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
    stop)
        echo -n "Shutting down snort services: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
    restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
    status)
        status $BASE
        RETVAL=$?
        ;;
    *)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL
--------------------8<--------------------------------------------

--
Shane Castle
Data Security Mgr, Boulder County IT
GSEC GCIH
303-441-3953


-----Original Message-----
From: JJ Cummings [mailto:cummingsj () gmail com] 
Sent: Friday, August 27, 2010 11:00
To: Castle, Shane
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snorby SBSA

As a side note, when you are running SO rules and update them, you must
stop the pid and start again, a HUP will not correctly reload the binary
rules.

Sent from the iRoad

On Aug 27, 2010, at 8:51, "Castle, Shane" <scastle () bouldercounty org>
wrote:

> I have a script for use with the "service" command (and "chkconfig")
in
> RHEL5. I'm not familiar with Debian; dunno if it'd transport well.
Also
> it's customized for two sensors on one box (must start multiple snort
> instances). I can post on the list or send it if you like.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> GSEC GCIH
> 303-441-3953
>
> -----Original Message-----
> From: Christopher A. Libby [mailto:clibby () mainepublicservice com] 
> Sent: Friday, August 27, 2010 09:38
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snorby SBSA
>
> I've been using the Snorby SBSA for a few days now, and I must say I
> really like the interface and the easy setup.  I do have a few issues
> that I'd like to manually resolve if anyone has any suggestions.
>
> First, I'd like to be able to utilized SO rules but Oinkmaster doesn't
> handle them.  I've looked at Pulled Pork on a previous incarnation of
> this machine but I wasn't very successful in getting it to work with
> both VRT and ET rules.  Any suggestions on what else I could use?
>
> Second, the snort init script simply starts snort - it doesn't allow
for
> start/stop/restart.  I'd like to just restart snort to reload the
rules,
> but one process gets stuck (no permission to the PID file) so I have
to
> reboot the server.  Does anyone have a good Debian init script for
> snort?
>
> Thanks! - Chris
------------------------------------------------------------------------
> ------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook
users
> worldwide. Take advantage of special opportunities to increase revenue
> and 
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------
------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook
users 
> worldwide. Take advantage of special opportunities to increase revenue
and 
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users