Snort 2.9.3.x and 2.9.4.x init script. This is a shell script which works for OpenBSD 5.x installations: Name this script 'snort' and place the shell script below into the /etc/init.d directory on your OpenBSD 5.x system: ----- CUT HERE ----- #!/bin/sh # # Snort Startup Script modified for OpenBSD 5.1 # # Original Script from Spanish Honeywell Project (2004) # # Script modified to add status parameter to 'usage' # # Added prefix of 'rc_' on 10/17/2012 to each option in the script # (i.e. - start becomes rc_start, stop becomes rc_stop, etc) # # Script variables (modify to match your system layout) LAN_INTERFACE=em0 RETURN_VAL=0 BINARY=/usr/local/bin/snort PATH=/bin:/usr/local/bin PID=/var/run/snort_${LAN_INTERFACE}_ids.pid DEL_PID=$PID LOGDIR=/var/log/snort DATE=`/bin/date +%Y%m%d` CONFIG_FILE=/etc/snort/snort.conf PROG=snort USER=snort GROUP=snort DAQDIR=/usr/local/lib/daq if [ ! -x "$BINARY" ]; then /bin/echo "ERROR: $BINARY not found." exit 1 fi if [ ! -r "$CONFIG_FILE" ]; then /bin/echo "ERROR: $CONFIG_FILE not found." exit 1 fi rc_start() { # Check if log directory is present. Otherwise, create it. if [ ! -d $LOGDIR/$DATE ]; then mkdir $LOGDIR/$DATE /usr/sbin/chown -R $USER:$GROUP $LOGDIR/$DATE /bin/chmod -R 700 $LOGDIR/$DATE fi /bin/echo "Starting $PROG: " # Snort parameters # -D Run Snort in background (daemon) mode # -i Listen on interface (i.e. - em0, em1, etc) # -u Run snort uid as user (or uid) # -g Run snort uid as group (or gid) # -c Load configuration file # --daq-dir= # -N Turn off logging (alerts still work) (removed to enable logging) :) # -l Log to directory # -t Chroots process to directory after initialization # -R Include 'id' in snort_intf.pid file name $BINARY -D -i $LAN_INTERFACE --daq-dir=$DAQDIR -u $USER -g $GROUP -c $CONFIG_FILE -l $LOGDIR/$DATE -t $LOGDIR/$DATE -R _ids /bin/echo "$PROG startup complete." return $RETURN_VAL } rc_stop() { if [ -s $PID ]; then /bin/echo "Stopping $PROG with PID `cat $PID`: " kill -TERM `cat $PID` 2>/dev/null RETURN_VAL=$? /bin/echo "$PROG shutdown complete." [ -e $DEL_PID ] && rm -f $DEL_PID [ -e $DEL_PID.lck ] && rm -f $DEL_PID.lck else /bin/echo "ERROR: PID in $PID file not found." RETURN_VAL=1 fi return $RETURN_VAL } rc_status() { if [ -s $PID ]; then /bin/echo "$PROG is running as pid `cat $PID`:" else /bin/echo "$PROG is not running." fi } rc_restart() { stop start RETURN_VAL=$? return $RETURN_VAL } case "$1" in start) rc_start ;; stop) rc_stop ;; status) rc_status ;; restart|reload) rc_restart ;; *) /bin/echo "Usage: $0 {start|stop|status|restart|reload}" RETURN_VAL=1 esac exit $RETURN_VAL ----- CUT HERE ----- The above script should have permissions of 700 and be owned by user/group: snort