snort_inline.sh

#!/bin/sh
#
# Created Honeynet Project <project@honeynet.org>
#
# Version 0.3
# Updated 05 December, 2003
#
# PURPOSE:
# Used to launch snort_inline for advance Data Control
#

# Set variables
PATH=/bin:/usr/local/bin
PID=/var/run/snort_inline.pid
DIR=/var/log/snort_inline
DATE=`date +%Y%m%d`
SNORT=/usr/local/bin/snort_inline
USER=snort

### Kill snort
if [ -s $PID ]; then
PRO=`cat $PID`
echo ""
echo "Previous version of snort_inline running"
echo "Killing snort_inline, PID $PRO"
echo ""
kill -9 $PRO
fi

# Make directory based on date, if already exists do nothing.
if [ -d $DIR/$DATE ]; then
   :
else
   mkdir $DIR/$DATE
   chown $USER $DIR/$DATE
fi

# Snort options explanation
# -b log packets in tcpdump format
# -c configuration file
# -d log packet details
# -D daemon mode
# -l log directory
# -i interface in our case eth0, this option is required when using
# the -Q option.
# -Q (used ONLY with Snort-Inline for QUEUE mode)
# -u $USER run snort as UID $USER in our case nobody

### Start snort for the Honeynet
$SNORT -D -d -c /etc/snort_inline/snort_inline.conf -Q -l $DIR/$DATE -t $DIR/$DATE

exit