Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a question about snort and have been looking through the man pages etc and cant seem to find anything. I have a mandrake 10 box and run snort in a basic mode
snort -l /var/log/snort -c snort.conf
when I look in the /var/log/snort I find some ip address and an alert file. The alert file keeps growing and it hard to parse through. I was wondering if this file could be taged with a separate date. This would make it easier to view info for each date.
The alert file keeps growing and it hard to parse through.
What you could do is run logrotate on the logs and add a logparser (depends on what format you log in) to the prerotate section, or run a logparser hourly for reporting.
now when I run snort >> snort -l /var/log/snort -c snort.conf << it will .gz the file and tag it alert1.gz, alert2.gz etc. The only problem is when it zips up the alert file it stops snort from running and doesn't restart it. Any ideas on how to have it start it automatically?
There is two ll, sorry typo. I have two terminals open one running snort -l /var/log/snort -c snort.conf and the other is looking at the /etc/var/log/snort file. When the alert file is .gz then the terminal that was running snort is setting at the #. I restarted snort this am and I'm waiting for the alert file to compress then I check the /etc/init.d and run ./snortd status
I checked the log today. Snort has stoped running since the last .gz alert file and when I run /etc/init.d snortd status it comes back with snort dead but subsys locked. How should I get snort to run after it .gz the alert file?
Snort has stoped running since the last .gz alert file and when I run /etc/init.d snortd status it comes back with snort dead but subsys locked.
Weird. Only ways I can imagine Snort stopping is when:
- the config files or rules where updated and Snort stumbled over an error (like with older versions of Snort and rules using say PCRE tags),
- network was brought down (it's a libpcap app, happens to all of them),
- it couldn't find it's logs while writing (unsure about that, haven't tested it).
In this case of subsys locks, if you execute "/etc/init.d/snortd stop" the subsys lock would be cleaned up, then issue a "/etc/init.d/snortd start".
Depending on your initscript "restart" would do the same, or not.
I checked out another laptop I have running mandrake 9.1 and it didn't have the /etc/logrotate.d/snort file. i created it just as above ran chmod +x, ran snort and it ziped up the file fine. Only it didn't start snort back up. Anyone have any ideas on how to start snort back up automatically after it .gz the file?
In your logrotate script, add a postrotate statement, something like this:
"pgrep snort >/dev/null && kill -s 1 /usr/bin/snort || echo /etc/init.d/snort restart". If it's already running ask it to reread it's conf and close/open files, else do a hard restart.
I have loaded snort on a server with 2 gig interface and 1 10/100 interface. Snort will run from /etc/snort when you issue the cmd snort -l /var/log/snort -c snort.conf. I have set up the log rotate and it works but snortd will not run. I issue the cmd in /etc/rc.d/init.d ./snortd status, stop, start and I get failed all the time. What could cause snort to run but not the daemon in /etc/rc.d/init.d...?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.