|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » Snort IDS Start at Boot
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort IDS Start at Boot
Posted by ross_k on March 07, 2005 15:12:43
I have installed Snort/MySQL/ACID on a Dell D600 running Fedora Core 2 per the directions on the old Snort site (the link to that .pdf is not working at this moment). I want to use this laptop as a "portable IDS". This is not a big issue but on my other installs of Snort et al using these instructions Snort automatically starts and immediately logs alerts. For some reason on this installation I get no alerts until I run "snort -c /etc/snort/snort.conf". I have checked /etc/init.d/snort and the config line is correct (I think) /etc/snort/snort.conf. One more thing (though this issue existed previously) I have set up Nessus on this laptop. I would not think that this would make a difference but I am new to Linux and I definitely could have missed something.
Thanks, |
|
Posted by nigel on March 07, 2005 15:33:50
Do you have a startup script you are using that you could post here? |
|
Posted by ross_k on March 08, 2005 02:41:49
As I said, I used the procedures from the Snort_SSL_FC2.pdf that is available from this website. For the sake of convenience I am including the section that pertains to auto startup:
Now we will turn off the init script from the RPM and replace the snort init script that
comes with the source.
chkconfig snortd off
cp /usr/share/doc/snort-2.2.0/contrib/S99snort /etc/init.d/snort
Now edit the /etc/init.d/snort file as follows
# set config file & path to snort executable
SNORT_PATH=/usr/sbin
CONFIG=/etc/snort/snort.conf
# set GID/Group Name
SNORT_GID=snort
rm -rf /etc/init.d/snortd
cd /etc/rc3.d
ln -s ../init.d/snort S99snort
ln -s ../init.d/snort K99snort
cd /etc/rc5.d
ln -s ../init.d/snort S99snort
ln -s ../init.d/snort K99snort
Snort will now start automatically for you when you start the sensor |
|
Posted by nigel on March 08, 2005 03:40:34
Well that script hasn't been in the contrib directory for quite some time, did you see any errors when you were trying those commands at all?
Please check to make sure the script is actually in place in /etc/init.d/
|
|
Posted by ross_k on March 08, 2005 05:20:14
the file /etc/init.d/snort exists and contains the following lines:
# set config file & path to snort executable
SNORT_PATH=/usr/sbin
CONFIG=/etc/snort/snort.conf
# set GID/Group Name
SNORT_GID=snort
I have used these procedures on 3 other machines and it has always worked OK. In monitoring the Fedora boot process snort appears to start successfully. Upon further review I am beginning to think that something else is causing the problem. This morning after manually starting and receiving alerts in ACID the Alerts seemed to stop. Since I am still in testing mode I have another snort box running off the same switch as a control. Comparisons of /etc/snort/snort.conf and /etc/init.d/snort on both boxes show that they are identical.
|
|
Posted by ross_k on March 08, 2005 17:09:28
Thanks for the input. Since I am in testing mode and I am fairly new at Linux I decided to blow away the FC2/ACID/MYSQL load and move up to Fedora 3/Snort 2.3/BASE based on Patrick Harper's documentation. It looks like this new implementation sticks to a simpler (re:default) structure and that will make it easier to research and understand the relationships between the various components. I am sure I will need to come back here again soon enough.
Keep up the good work! |
|
|
|
|
|
