Stellarcore.net

Stellarcore.net

This is my modified snortd init script which allows daily log directories, so you can more easily deal with the massive amount of data that snort generates. Besides the dated log directory, I also added the ids user and group and the correct umask for them. Making a user part of the ids group gives that user read permissions to the logs.

#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion
#		detection tool that currently detects more than
#		1100 host and network vulnerabilities,
#		portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski 
#   - initial version
#
# July 08, 2000 Dave Wreski 
#   - added snort user/group
#   - support for 1.6.2
# July 31, 2000 Wim Vandersmissen 
#   - added chroot support

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

#Added dateformat for easy logrotation -mgt
date=`date +%Y-%m-%d` 

if [ ! -d /var/log/snort/logs_$date ]; then
    mkdir /var/log/snort/logs_$date
	chown ids:ids /var/log/snort/logs_$date
fi 

# See how we were called.
case "$1" in
  start)
	echo -n "Starting snort: "
    cd /var/log/snort
	daemon /usr/sbin/snort -A fast -l /var/log/snort/logs_$date -d -D -i \
	$INTERFACE -c /etc/snort/snort.conf -m 0027 -u ids
	touch /var/lock/subsys/snort
	echo
	;;
  stop)
	echo -n "Stopping snort: "
	killproc snort
	rm -f /var/lock/subsys/snort
	echo 
	;;
  restart)
	$0 stop
	$0 start
	;;
  status)
	status snort
	;;
  *)
	echo "Usage: $0 {start|stop|restart|status}"
	exit 1
esac

exit 0