Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 7.21 Why can't snort Up: 7 Problems Previous: 7.19 Why does chrooted

7.20 My snort crashes, how do I restart it?

Try one of these two shell scripts or daemontools (refer to website to daemontools) 

  * []#!/bin/sh
    #snorthup: Snort Restarter and Crash Logger 
    #(dr@kyx..net with help from kmaxwell@superpages.com)  

    $conf = "snort.conf"
    for $IFACE in fxp0 fxp1
    do
        if [ -f /var/run/snort_$IFACE.pid ]; then
            if !  ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
                /usr/bin/logger -p user.notice snorthup: removing bogus pidfile
                /usr/bin/
    logger -p user.notice snorthup: restarting absentee snort o
    n $IFACE with conf file $i
                rm -f /var/run/snort_$IFACE.pid
                /usr/local/bin/snort -D -c $conf -i $IFACE
            fi;
       else
           /usr/bin/
    logger -p user.notice snorthup: restarting snort on $IFACE with 
    conf file $conf
           /usr/local/bin/snort -D -c $conf -i $IFACE 
       fi 
    done
Another version: 
  * []#!/bin/ksh
    # snortstartd: Snort (Re)Starter
    # Dom De Vitto (dom@devitto..com)
    # (original idea by dr@kyx..net & kmaxwell@superpages.com)
    #
    # Note: You'd better get CONF and INTERFACES right or
    # this script will just keep trying to start snort.
    # Path to echo, sed, test, ps, grep, logger, rm, and sleep.

    PATH=$PATH:/usr/bin:/usr/local/bin ; export PATH
    
    # Point this to your conf file:
    
    CONF="/usr/local/share/examples/snort/snort.conf"

    # Which interfaces should Snort run on, e.g.:

    INTERFACES="hme0 hme1"

    # Wait this many seconds between checks:

    CHECKEVERY=5

    # Full path to Snort:

    SNORTBINARY=/usr/local/bin/snort

    while :; do
      for INT in $INTERFACES
      do
        GREPSTRING="`echo $SNORTBINARY -N -D -c $CONF -i $INT|sed
    's?\/?\\\/?g'`"
        PSCMDLINES=`(ps augxww 2>/dev/null||ps -ef 2>/dev/null) | grep
    "$GREPSTRING"|wc -l`
        if [ $PSCMDLINES = 0 ]; then
          logger -p user.notice -t "$0" "Starting Snort on $INT."
          $SNORTBINARY -N -D -c $CONF -i $INT 2>&1 > /dev/null
        fi
      done
      sleep $CHECKEVERY
    done


Nigel Houghton 2006-10-02
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.