Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
14 janvier 2014 2 14 /01 /janvier /2014 22:09


When compiled from sources, SNORT doesn't seem to provide a /etc/init.d/script.
Beside this, Barnyard2 needs to be started too.

Let's see some autostart scripts for SNORT and Barnyard2.

 

I1b

 

Tested on Ubuntu 14.04 LTS and Debian 7.5/ Edited June 03 2014

 

Beware of the sniffing interface in the scripts. In case of not using eth0, change accordingly.

 

Notes : These scripts are provided as exemples, for experimentation and learning. They are not fit for a production environment, where a certified Linux System Admin is needed.

 

1. Quick easy way

 

sudo gedit /etc/init.d/snortautorun

------------------------------------------------------------------------------------------------
#!/bin/bash

sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

exit 0
---------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults




2. A Cleaner way

This script is a little more structured, and good practice compliant.

sudo gedit /etc/init.d/snortautorun

---------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
    sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
  
    echo "SNORT is ON"
    ;;
  stop)
  
    echo "trying to stop Snort"
    sudo bash -c "sudo killall snort"  
    sleep 4
    echo "  "
    echo "try this command to verify SNORT is stopped :"
    echo "ps -A | grep snort"
    ;;
  *)
        echo "Usage: /etc/init.d/snortautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults


Nb : the snort is working before login.



3. Complete Start / Stop Script with run-autodetect

This script provides Start / Stop capabilities, and is capable to detect if snort is already running.

This script is a little more structured, and compliant.

sudo gedit /etc/init.d/snortautorun

---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
    if ps -C snort> /dev/null; then
    echo "SNORT is already running"
     
    else

    sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

    echo "SNORT is ON"
    fi
    ;;
  stop)

    if ps -C snort> /dev/null; then
    sudo rm /var/run/snort_eth0.pid
    sudo rm /var/run/snort_eth0.pid.lck

    echo "Stopping SNORT"
    sudo pkill snort
     
else

    echo "SNORT is already OFF"

    fi
    ;;
  *)
        echo "Usage: /etc/init.d/snortautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
------------------------------------------------------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults


Nb : the snort is working before login.


4. SNORT Reference Script

For a comparaison, you may want to have a look at the init.d script installed via doing apt-get install snort.
I'll copy here asap.



5. Barnyard2 Startup Script

A basic Barnyard2 script

 

 

sudo touch /etc/init.d/runbarnyard2
sudo gedit /etc/init.d/runbarnyard2
-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo bash -c "barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n"
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

sudo chmod 700 /etc/init.d/runbarnyard2
sudo update-rc.d runbarnyard2 defaults


( note : Ubuntu users might have a better functionning using : sudo update-rc.d runbarnyard2 defaults 21 00 )

( note2 : to remove a record, use : sudo update-rc.d -f runbarnyard2 remove )


We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

gedit /etc/snort/barnyard2.conf :
------------------------------------------------------------
# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

A Barnyard2/Data Cleanup script

 

Here is a script that adds a clean option, thats stops SNORT and Barnyard2, and cleans all logs ( /var/log/snort, /var/log/barnyard2 ). Do note how slack it is ( 2> /dev/null suppress errors display. Really not to use in a production environment ! )

 

note : if using a custom snort script, change 'sudo service snort stop' into the relevant line. ex : sudo /etc/init.d/snortautorun stop )

 

sudo touch /etc/init.d/runbarnyard2
sudo gedit /etc/init.d/runbarnyard2
-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo " * Starting Barnyard2"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
    ;;
    stop)
        echo " * Stopping Barnyard2"
        sudo killall barnyard2
    ;;
    restart)
        $0 stop
    sleep 4
        $0 start
    ;;
    clean)
    echo "  "
    sudo service snort stop
    echo "  "
    $0 stop
    echo "  "
    sudo rm /var/log/snort/snort.log.* 2> /dev/null
    sudo cat /dev/null>/var/log/snort/portscan.log
    sudo rm /var/log/barnyard2/* 2> /dev/null
    echo "Snort and Barnyard2 Datas Cleaned"   
    echo "  "   
    #echo "Snort and Barnyard2 Stopped / Datas Cleaned"
    echo "Don't forget to empty the SNORT MySQL Database"
    echo "  "
    ;;
   
    *)
        echo "usage: $0 (start|stop|restart|clean)"
    ;;
esac

exit 0


-----------------------------------------------------------------------------------------------

sudo chmod 700 /etc/init.d/runbarnyard2
sudo update-rc.d runbarnyard2 defaults


( note : Ubuntu users might have a better functionning using : sudo update-rc.d runbarnyard2 defaults 21 00 )

( note2 : to remove a record, use : sudo update-rc.d -f runbarnyard2 remove )

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

gedit /etc/snort/barnyard2.conf :
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart/clean

 

6. A Clever Barnyard2 Start/Stop/Restart/Cleanup Script

 

This script is a little more clever, as it detects if barnyard2 is already launched or stopped :

note : if using a custom snort script, change 'sudo service snort stop' into the relevant line. ex : sudo /etc/init.d/snortautorun stop )

 

--------------------------------------------------------------------------------------------------------------------

#!/bin/sh

case $1 in
    start)
        echo " * Starting the Barnyard2 Spooler"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
        echo ' * Barnyard2 started.'
    ;;
    stop)
        echo " * Stopping the Barnyard2 Spooler"
    PIDFILE=/var/run/barnyard2_NULL.pid

    if [ ! -f "$PIDFILE" ]; then
    echo " * Barnyard2 is Not Running" >&2
    return 1
    fi
   
    sudo kill -15 $(cat "$PIDFILE")
    rm -f "$PIDFILE"
    sudo rm /var/run/barnyard2_NULL.pid.lck
        #sudo pkill barnyard2
    sleep 4
        echo ' * Barnyard2 stopped.'
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    clean)
    echo "  "
    echo "Stopping SNORT"
    sudo service snort stop
    echo "SNORT is stopped"
    echo "  "
   
    echo "Stopping Barnyard2"
    $0 stop
    echo "Barnyard2 is stopped"
    echo "  "

    echo "Cleaning logs"
        if [ -f /var/log/snort/snort.log.* ];
        then sudo rm /var/log/snort/snort.log.*
        else echo " * No Snort.log present"
        fi
   
        if [ "$(ls -A /var/log/barnyard2)" ];
        then sudo rm /var/log/barnyard2/*.*
        else echo " * No Barnyard2 logs present"
        fi

    if [ -s /var/log/snort/portscan.log ];
    then
    sudo cat /dev/null>/var/log/snort/portscan.log   
    echo " * Portscan.log cleaned"
    else
    echo " * portscan.log is already empty"
    fi
    echo "  "
   
    echo "Logs Cleaned"
    echo "  "

    echo "Don't forget to empty the SNORT MySQL Database"
    echo "  "
    echo "  "
    ;;
    *)
        echo "usage: $0 (start|stop|restart|clean)"
    ;;
esac

exit 0


-------------------------------------------------------------------------------------------------------------------- 

 

 

7. Notes

 

 

the sourced script :

When compiling from sources, there is a rpm-family script, bu no debian family script.

 

The rpm script is of course not compatible with Debian / Ubuntu.

 

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens