hello Everybody
I've installed a snort box (yum install snort & snort-mysql) on FC7
with 2 NICs:
eth0 (192.168.0.50)
eth1 (192.168.0.51) in promisc mode ***only*** dedicated to snort sinffing
all seems ok but still 2 problems persists:
1)what's the better way for putting eth1 on promisc mode on startup?
I've thought to edit /etc/sysconfig/networking/devices/ifcfg-eth1
adding the line:
PROMISC=yes but it doesnt't go.
"ifconfig eth1 promisc" is the only solution?
2)I've modified /etc/rc.d/init.d/snortd adapting it to the snort-mysql binary:
#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave@xxxxxxxxxxxxxxxxx>
# - initial version
#
# July 08, 2000 Dave Wreski <dave@xxxxxxxxxxxxxxxxxxx>
# - added snort user/group
# - support for 1.6.2
# July 31, 2000 Wim Vandersmissen <wim@xxxxxxx>
# - added chroot support
# Source function library.
. /etc/rc.d/init.d/functions
# Specify your network interface here
INTERFACE=eth1
# See how we were called.
case "$1" in
start)
echo -n "Starting snort-mysql: "
cd /var/log/snort
daemon /usr/sbin/snort-mysql -b -l /var/log/snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort-mysql: "
killproc snort-mysql
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort-mysql
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
pratically I've substituted "snort-mysql" with "snort" and deleted
the " -A fast" option.
This script is launched without problem at the FC7 very startup (as I
can see from the console)
but after the login, "service snortd status" replies "snort-mysql is stopped".
everyway, "service snortd start" goes OK without problem..
thanks a lot in advance for your help,
fabianope
