#!/bin/sh
# Start/stop/restart snort.
# 8/30/2007 - The snort_restart function wasn't working, but an investigation ferretted out the problem: the "sleep" parameter was adjusted from "1" to "5" to give the process time to stop before starting the snort process again.
# Start snort:
snort_start() {
if [ -x /usr/local/bin/snort ]; then
echo "Starting snort daemon: /usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0"
/usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0 -D
fi
}
# Stop snort:
snort_stop() {
echo "Stopping snort daemon"
killall snort
}
# Restart snort:
snort_restart() {
snort_stop
sleep 5
snort_start
}
case "$1" in
'start')
snort_start
;;
'stop')
snort_stop
;;
'restart')
snort_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
Showing posts with label init script. Show all posts
Showing posts with label init script. Show all posts
Thursday, August 30, 2007
Posted: Snort init script
Here it is!
Sunday, August 26, 2007
Revamped rc.snort on my server
Hi all!
First, I've redone my rc.snort file. I looked at the existing rc files in /etc/rc.d/ and looked at rc.sendmail specifically. It looked very simple compared to the rc.snort I did awhile back. Remember when I mentioned that I did two of them, one for Slackware 9.0 and one for OpenBSD 3.8, with the OpenBSD one working fine but the Slackware one not working 100%? Well, instead of basing the Slackware rc.snort from Slackbuilds' thttpd rc script, I went ahead and did the following:
1. I changed the name of the existing rc.snort to rc.snort.original using the 'mv' command.
2. I executed the following: cp rc.sendmail rc.snort
3. I edited rc.snort with VIM, replacing all mentioning of sendmail with snort, also including the path of snort.
4. I then tested by manually starting, stopping and restarting a running snort process. I found that the script was choking because I forgot to add the '-D' switch to the script. I fixed this and tested successfully.
5. I lastly set a cronjob to run 5 min in the future to test that the cronjob would function using the new script. It worked!
I should've done the above AGES ago. Now I get to wait a few days to see if the cronjob fails because I haven't accounted for something else...that's what happened last time. I think I'm not going to have issues this time, though.
I'll link the revised rc.snort script a bit later.
I've also built two netcat Slackware packages, using Checkinstall. I built one for my 9.0 server and one for my v12.0 workstation. Everytime I build a package, I'll be adding it to my slackpack repository, which will have v9.0 and v12.0 directories. I've added it because I didn't find a slackpack of netcat hosted anywhere else. I've the feeling that people may want the version for 12.0. I don't think many people are using v9.0 anymore.
You are probably wondering why I'm using v9.0. Because that's what my hosting provider offers. I try to keep it up-to-date but I've noticed that Pat isn't upgrading packages that far back anymore. This means I'll have to build my own upgrade packages. This also means I'll have to be very attentive to security (like I'm not already). Additionally, this will soon force me to either upgrade to v12.0 (Linode has several howtos) or jump to another distribution for simplicity-sake. :(
Anyways, I just wanted to post since I've been doing some work with Slack.
Until next time...
First, I've redone my rc.snort file. I looked at the existing rc files in /etc/rc.d/ and looked at rc.sendmail specifically. It looked very simple compared to the rc.snort I did awhile back. Remember when I mentioned that I did two of them, one for Slackware 9.0 and one for OpenBSD 3.8, with the OpenBSD one working fine but the Slackware one not working 100%? Well, instead of basing the Slackware rc.snort from Slackbuilds' thttpd rc script, I went ahead and did the following:
1. I changed the name of the existing rc.snort to rc.snort.original using the 'mv' command.
2. I executed the following: cp rc.sendmail rc.snort
3. I edited rc.snort with VIM, replacing all mentioning of sendmail with snort, also including the path of snort.
4. I then tested by manually starting, stopping and restarting a running snort process. I found that the script was choking because I forgot to add the '-D' switch to the script. I fixed this and tested successfully.
5. I lastly set a cronjob to run 5 min in the future to test that the cronjob would function using the new script. It worked!
I should've done the above AGES ago. Now I get to wait a few days to see if the cronjob fails because I haven't accounted for something else...that's what happened last time. I think I'm not going to have issues this time, though.
I'll link the revised rc.snort script a bit later.
I've also built two netcat Slackware packages, using Checkinstall. I built one for my 9.0 server and one for my v12.0 workstation. Everytime I build a package, I'll be adding it to my slackpack repository, which will have v9.0 and v12.0 directories. I've added it because I didn't find a slackpack of netcat hosted anywhere else. I've the feeling that people may want the version for 12.0. I don't think many people are using v9.0 anymore.
You are probably wondering why I'm using v9.0. Because that's what my hosting provider offers. I try to keep it up-to-date but I've noticed that Pat isn't upgrading packages that far back anymore. This means I'll have to build my own upgrade packages. This also means I'll have to be very attentive to security (like I'm not already). Additionally, this will soon force me to either upgrade to v12.0 (Linode has several howtos) or jump to another distribution for simplicity-sake. :(
Anyways, I just wanted to post since I've been doing some work with Slack.
Until next time...
Monday, June 04, 2007
Snort init script still not working...
Yeah, I thought I'd nailed this, but there is still an issue with my Slackware machine's Snort startup/shutdown script. For some reason, it'll start fine, will not shut down cleanly and will error out. The script will not start on its own and requires manual intervention (dunno why). I'll have to add some debugging code to it so that I can track the issue. It must be some flag that I'm using when implementing 'ps', because that's the only difference between the two scripts (the OpenBSD and Slackware).
I wish I had more time (and willpower) to give this the attention that it needs. I can always visit the Snort mailing list and post my concerns, but I'd like to be able to nail this one myself. :)
I wish I had more time (and willpower) to give this the attention that it needs. I can always visit the Snort mailing list and post my concerns, but I'd like to be able to nail this one myself. :)
Saturday, May 19, 2007
I Created some scripts for Snort
I've created (well, modified) a Snort initialization, restart, and shutdown script for Slackware and OpenBSD. They are linked below.
The OpenBSD script works solidly.
The Slackware script works sporadically and I've no idea how to debug it (although I haven't tried 'strace' yet). It appears to work manually every time, but when run as a cron job, it's sometimes, seemingly randomly, doesn't restart. The cron job runs every hours but because it sometimes doesn't start, I now have holes in my website's IDS coverage.
Note that I didn't HAVE to create start/stop scripts for Snort, as I could've started Snort by utilizing the rc.local file, but I'd have still had to manually kill the Snort process whenever I wanted to stop Snort. Having an init script do this is much cleaner.
The fact that I've gotten it working on the OpenBSD machine hints that I've a minor issue with the Slackware script that I have yet to account for, but its frustrating me, so I'll throw it online to see if someone can help with debugging. Yeah, I'd searched for help via Google but didn't see much of Snort init scripts for Slackware (although I may find something if I look at any scripts for other distributions).
I also got Snortalog to process my Snort raw logs into a statistical report, although I had to import 6.2MB of flat files to my FreeBSD box (which Snortalog is installed on), then have Snortalog crunch that data into a HUGE (3.9MB) HTML file! Needless to say, that HTML file takes almost 5 minutes to load into a browser. I've got to filter the logs and only have it crunch certain dates to make the file less bulky.
Snortalog definitely highlights that I could do some tuning, as it shows a very high amount of MS-SQL worm attempts (MS Blaster) hitting my server, amongst other things. This is a good tool that I'd previously used (and had forgotten) at a prior place of employment. It would be nice if I could figure out how to get it to crunch my IPF FW logs.
Another oldie but goddie is SnortSnarf. It is a perl script, as is Snortalog, that parses Snort files (the alert file and the payload files) into readable HTML pages, which is a bit better at searching via command-line. It is not as handy as ACID/BASE is, though, but has lower overhead. Sadly, SnortSnarf's home page is gone, but I've linked Snort.org's archive.
EDIT --
I've found my 'error'. What happened was that I had line 34 commented out and line 35 uncommented. Line 35 is specifically for usage with OpenBSD. Line 34 is specifically for Slackware. I rectified this by uncommenting line 34 and commenting line 35. I'll also put commentary explaining this. Consider this issue solved!
Edited 8/30/2007:
Revised Script that works! *yes, click here*
The OpenBSD script works solidly.
The Slackware script works sporadically and I've no idea how to debug it (although I haven't tried 'strace' yet). It appears to work manually every time, but when run as a cron job, it's sometimes, seemingly randomly, doesn't restart. The cron job runs every hours but because it sometimes doesn't start, I now have holes in my website's IDS coverage.
Note that I didn't HAVE to create start/stop scripts for Snort, as I could've started Snort by utilizing the rc.local file, but I'd have still had to manually kill the Snort process whenever I wanted to stop Snort. Having an init script do this is much cleaner.
The fact that I've gotten it working on the OpenBSD machine hints that I've a minor issue with the Slackware script that I have yet to account for, but its frustrating me, so I'll throw it online to see if someone can help with debugging. Yeah, I'd searched for help via Google but didn't see much of Snort init scripts for Slackware (although I may find something if I look at any scripts for other distributions).
I also got Snortalog to process my Snort raw logs into a statistical report, although I had to import 6.2MB of flat files to my FreeBSD box (which Snortalog is installed on), then have Snortalog crunch that data into a HUGE (3.9MB) HTML file! Needless to say, that HTML file takes almost 5 minutes to load into a browser. I've got to filter the logs and only have it crunch certain dates to make the file less bulky.
Snortalog definitely highlights that I could do some tuning, as it shows a very high amount of MS-SQL worm attempts (MS Blaster) hitting my server, amongst other things. This is a good tool that I'd previously used (and had forgotten) at a prior place of employment. It would be nice if I could figure out how to get it to crunch my IPF FW logs.
Another oldie but goddie is SnortSnarf. It is a perl script, as is Snortalog, that parses Snort files (the alert file and the payload files) into readable HTML pages, which is a bit better at searching via command-line. It is not as handy as ACID/BASE is, though, but has lower overhead. Sadly, SnortSnarf's home page is gone, but I've linked Snort.org's archive.
EDIT --
I've found my 'error'. What happened was that I had line 34 commented out and line 35 uncommented. Line 35 is specifically for usage with OpenBSD. Line 34 is specifically for Slackware. I rectified this by uncommenting line 34 and commenting line 35. I'll also put commentary explaining this. Consider this issue solved!
Edited 8/30/2007:
Revised Script that works! *yes, click here*
Subscribe to:
Posts (Atom)