Tuesday, August 15, 2006

Snort management scripts

In a recent thread on the Internet Storm Center I offered some scripts that I wrote entirely for convenience at the shell prompt. Save each as the # commented title, add them to your working directory, chmod a+x them, and use at will:

For Bleeding-Edge rules, I prefer the single bleeding-all.rules so I use this to update it rather than Oinkmaster:

cd /etc/snort/rules/
rm -f bleeding-all.rules
wget http://www.bleedingsnort.com/bleeding-all.rules
To fire Oinkmaster manually rather than cron:
oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
To kill the daemon:
killall snort
To confirm Snort process state:
ps aux | grep snort
To confirm Snort running cleanly after config or rule changes:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -v
To start the daemon:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -D

No comments: