reconfigure snort daemon startup script
Hi,
I just installed snort from RPM in Mandrake 10.0. The startup script in /etc/rc.d/init.d starts snort & instructs it to log to /var/log/snort/alert. However, I need for it to log violations in /var/log/messages. Now, how do I edit the snortd file so that it may do so? I'm afraid I know next to nothing about building unix shell scripts (beyond the obvious, that is). Please do advise me on how to do that, or point me to a howto that might help ( the howto's in snort.org do not have this). Maybe it's something trivial, but I do not want to risk misconfiguring the script. Please do advise. For reference, the /etc/rc.d/init.d/snorts is provided below: ********************************************************************************************* #!/bin/sh # $Id: snortd,v 1.3 2003/12/12 02:05:51 cazz Exp $ # snortd Start/Stop the snort IDS daemon. # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that \ # currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. # # Source function library. . /etc/rc.d/init.d/functions # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snort" fi if [ "$GROUP"X = "X" ]; then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snort:snort $LOGDIR daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST done else daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST fi touch /var/lock/subsys/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; reload) echo "Sorry, not implemented yet" ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|reload|restart|status}" exit 2 esac exit 0 |
I need for it to log violations in /var/log/messages.
Check Snort manual for syslog logging, check "man syslog.conf" for facility/priority, then either edit snort.conf and add the syslog statement or edit syslog.conf and add snort's facility (0-9) to log to syslog's messages file. |
All times are GMT -5. The time now is 03:07 AM. |