#!/bin/sh # Copyright (c) 2005-2008 SuSE Linux AG # # Author : Tedi Heriyanto # Date : Oct 18, 2008 # # /etc/init.d/snortd # ### BEGIN INIT INFO # Provides: snortd # Required-Start: $network $time # Required-Stop: $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Snort IDS Daemon # Description: Start the Snort, a lightweight network intrusion detection tool, \ # that currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. ### END INIT INFO SNORT_BIN=/usr/sbin/snort test -x $SNORT_BIN || exit 5 . /etc/rc.status RC_OPTIONS='-v' rc_reset # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snort" fi if [ "$GROUP"X = "X" ]; then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi # These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]; then SYSLOG=/var/log/messages fi if [ "$SECS"X = "X" ]; then SECS=5 fi if [ ! "$BPFFILE"X = "X" ]; then BPFFILE="-F $BPFFILE" fi ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting Snort: " checkproc $SNORT_BIN if [ $? -eq 0 ] ; then echo -n "- Warning: Snort is already running ! " rc_failed else cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR $SNORT_BIN $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE \ -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done else # check if more than one interface is given if [ `echo $INTERFACE|wc -w` -gt 2 ]; then for i in `echo $INTERFACE | sed s/"-i "//` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR $SNORT_BIN $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE \ -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done else # Run with a single interface (default) $SNORT_BIN $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE \ $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF fi fi fi rc_status $RC_OPTIONS ;; stop) checkproc $SNORT_BIN if [ $? -ne 0 ] ; then echo -n "- Warning: Snort is not running ! " rc_failed else echo -n "Stopping Snort: " killproc snort PIDFILES=`ls /var/run | grep snort` for PIDFILE in $PIDFILES do rm -f /var/run/$PIDFILE done fi rc_status $RC_OPTIONS ;; restart) $0 stop $0 start rc_status $RC_OPTIONS ;; condrestart) [ -e /var/lock/subsys/snort ] && $0 restart ;; status) echo -n "Checking for Snort : " checkproc $SNORT_BIN rc_status $RC_OPTIONS ;; stats) TC=125 # Trailing context to grep SNORTNAME='snort' # Process name to look for if [ ! -x "/sbin/pidof" ]; then echo "/sbin/pidof not present, sorry, I cannot go on like this!" exit 1 fi #Grab Snort's PID PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}` if [ ! -n "$PID" ]; then # if we got no PID then: echo "No PID found: ${SNORTNAME} is not running." exit 2 fi echo "" echo "*******" echo "WARNING: This feature is EXPERIMENTAL - please report errors!" echo "*******" echo "" echo "You can also run: $0 stats [long | opt]" echo "" echo "Dumping ${SNORTNAME}'s ($PID) statistics" echo "please wait..." # Get the date and tell Snort to dump stats as close together in # time as possible--not 100%, but it seems to work. startdate=`date '+%b %e %H:%M:%S'` # This causes the stats to be dumped to syslog kill -USR1 $PID # Sleep for $SECS secs to give syslog a chance to catch up # May need to be adjusted for slow/busy systems sleep $SECS if [ "$2" = "long" ]; then # Long format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: elif [ "$2" = "opt" ]; then # OPTimize format # Just show stuff useful for optimizing Snort egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:" else # Default format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: | cut -d: -f4- fi ;; *) echo "Usage: $0 {start|stop|restart|condrestart|status|stats (long|opt)}" exit 2 esac exit 0