#!/bin/bash PROGNAME=snortstart VERSION="v0.17 21-09-2000 release" #configure here SNTRULESFILE=snort-lib # default rules file SNTIF=ppp0 # default interface OPTIONS=deb # options to snort command line NET=32 # subnet mask part ex. xxx.xxx.xxx.xxx/24 -> NET=24 AUTO_IP=yes # comment to have no home_net variable autoconfigured VERBOSE= # comment to hide verbose checking of needed utilities #end configure SNTPIDDIR=/var/run RESTART= DAEMON=-D function good() { echo -e "\033[01;32m$@\033[00m" #green } function bad() { echo -e "\033[01;31m$@\033[00m" #red } function inf() { echo -e "\033[01;33m$@\033[00m" #yelow } function cleanexit() { exit $1 } function printhelp() { cat <<- -FINDOC- ${PROGNAME} ${VERSION} This utility is only useful with Snort IDS source code You can download it at www.snort.org Options: -h, --help Display this help message and exit. -d dir Install snort stuff in dir. -i interface Create a new dir, install and configure for interface. -D Debug mode -v Verbose mode -n ip Do not use ip discovery function, use ip instead. -N submask Use submask as subnet mask (default: ${NET}) -o options Use options as snort additionnal options (default: ${OPTIONS}) -s Stop snort Decompress,configure and compile snort source code, then copy snortstart in snort source code directory. As super user : To automagically install snort in chroot dir : #> ./${PROGNAME} -i eth0 -d /somedir/newdir To debug installation : #> ./${PROGNAME} -D -v -i ppp0 -d /somedir/snortd-ppp0 To start or restart snort : #> /somedir/newdir/${PROGNAME} To stop snort : #> /somedir/newdir/${PROGNAME} -s Quickstart: #> cd snort-1.6.x #> ./configure #> make #> cp /somedir/${PROGNAME} . #> ./${PROGNAME} -i eth0 -d snortd #> ./snortd/${PROGNAME} Optional: Edit first lines of ${PROGNAME} script to change default values : SNTRULESFILE=${SNTRULESFILE} SNTIF=${SNTIF} OPTIONS=${OPTIONS} NET=${NET} AUTO_IP=${AUTO_IP} VERBOSE=${VERBOSE} -FINDOC- } function title() { inf "${PROGNAME} ${VERSION}" inf "wrapper/installer for snort IDS utility" echo #author: zas at norz.org } function checkifroot() { [ "`id | sed -n 's/^uid=\([[:digit:]]\+\).\+/\1/p'`" -ne 0 ] && bad "Must be r00t !" && cleanexit 1 } function checkneeded() { #utilities needed are checked here for i in id awk ifconfig sed userdel useradd groupdel groupadd ldd ldconfig grep egrep chmod chown false; do if [ "`which ${i} 2>/dev/null`" ]; then if [ "$VERBOSE" ]; then echo -n "Checking if $i is available... " good "\r\t\t\t\t\t\t\tYes" fi else echo -n "Checking if ${i} is available... " bad "No" echo "${i} is needed for executing this script. Exiting..." cleanexit fi done for i in /proc /etc/passwd /etc/group /var /var/run /dev/null ; do if [ -e "${i}" ]; then if [ "$VERBOSE" ]; then echo -n "Checking if $i is available... " good "\r\t\t\t\t\t\t\tYes" fi else echo -n "Checking if $i is available... " bad "No" echo "${i} not found. Exiting..." cleanexit fi done } function running() { [ ! "${1}" ] && return 1 [ ! -e "/proc/${1}/status" ] && return 1 [ "`cat "/proc/${1}/status" | awk '/^Name:[[:space:]]/ {print $2}'`" = "snort" ] && return 0 return 1 } function getpid() { [ -f ${SNTPIDDIR}/snort_${1}.pid ] && cat ${SNTPIDDIR}/snort_${1}.pid } function setdirs(){ PTH=${0%/*} SNTDIR=${1:-$PTH} SNTDIR=${SNTDIR%%/} [ "${VERBOSE}" ] && echo "Using ${SNTDIR} as main directory" LOG=log SNTLOGDIR=${SNTDIR}/${LOG} [ "${VERBOSE}" ] && echo "Using ${SNTLOGDIR} as log directory" ETC=etc SNTETCDIR=${SNTDIR}/${ETC} [ "${VERBOSE}" ] && echo "Using ${SNTETCDIR} as etc directory" LIB=lib SNTLIBDIR=${SNTDIR}/${LIB} [ "${VERBOSE}" ] && echo "Using ${SNTLIBDIR} as lib directory" } function setuser(){ echo snt${1} | sed 's/[^[:alnum:]]/-/g' } function setgroup(){ echo snt${1} | sed 's/[^[:alnum:]]/-/g' } function uninstall(){ [ ! -z "$SNTPID" ] && running $SNTPID && echo -n "Snort running under PID $SNTPID. Stopping..." && kill -TERM $SNTPID & & good "Done." userdel $SNTUSER && good "User $SNTUSER removed" groupdel $SNTGROUP && good "Group $SNTGROUP removed" [ -e $SNTDIR ] && [ -d $SNTDIR ] && rm -ri $V $SNTDIR cleanexit 0 } function init(){ [ ! "${1}" ] && cleanexit 1 [ ! "${SNTDIR}" ] && cleanexit 1 NEWIF=${1} SNTPID=`getpid ${NEWIF}` SNTUSER=`setuser ${NEWIF}` SNTGROUP=`setgroup ${NEWIF}` [ -d "${SNTDIR}" ] && bad "${SNTDIR} already exists ! Exiting ...." && cleanexit 1 [ ! -x ./snort ] && bad "No snort executable in this directory ! Must be in snort compilation tree..." && cleanexit 1 [ ! -e ./snort-lib ] && bad "No snort-lib in this directory ! Must be in snort compilation source dir" && cleanexit 1 [ ! -z "${SNTPID}" ] && running "${SNTPID}" && echo -n "Snort running under PID ${SNTPID}. Stopping..." && kill -TERM $ {SNTPID} && good "Done." SNTGID=`cat /etc/group | awk -F ':' '/^'${SNTGROUP}':/ {print $3}'` [ -z "${SNTGID}" ] && inf "Creating group ${SNTGROUP}" && ! groupadd ${SNTGROUP} && bad "Error" && cleanexit 1 SNTGID=`cat /etc/group | awk -F ':' '/^'${SNTGROUP}':/ {print $3}'` [ -z "${SNTGID}" ] && cleanexit 1 SNTUID=`cat /etc/passwd | awk -F ':' '/^'${SNTUSER}':/ {print $3}'` [ -z "${SNTUID}" ] && inf "Creating user ${SNTUSER}" && ! useradd -g ${SNTGID} -d /dev/null -s /bin/false ${SNTUSER} && bad "Error" && cleanexit 1 SNTUID=`cat /etc/passwd | awk -F ':' '/^'${SNTUSER}':/ {print $3}'` [ -z "${SNTUID}" ] && cleanexit 1 [ "${VERBOSE}" ] && echo "Using user ${SNTUSER}(${SNTUID}) and group ${SNTGROUP}(${SNTGID})" [ ! -e "${SNTDIR}" ] && ! mkdir -p "${SNTDIR}" && cleanexit 1 [ "${VERBOSE}" ] && echo "${SNTDIR} directory ok." [ ! -e "${SNTLOGDIR}" ] && ! mkdir -p "${SNTLOGDIR}" && cleanexit 1 [ "${VERBOSE}" ] && echo "${SNTLOGDIR} directory ok." [ ! -e "${SNTETCDIR}" ] && ! mkdir -p "${SNTETCDIR}" && cleanexit 1 [ "${VERBOSE}" ] && echo "${SNTETCDIR} directory ok." [ ! -e "${SNTLIBDIR}" ] && ! mkdir -p "${SNTLIBDIR}" && cleanexit 1 [ "${VERBOSE}" ] && echo "${SNTLIBDIR} directory ok." cp -fa ${V} ./*-lib "${SNTDIR}/" [ -e /etc/localtime ] && cp -f /etc/localtime "${SNTETCDIR}/" ldd snort | grep -v 'statically linked' | grep ' => ' | for i in `awk '{print $1}'`; do i=${i##*/} ; for j in /lib /usr/lib `cat /etc/ld.so.conf` ; do j=${j%%/} ; [ -e "${j}/${i}" ] && [ ! -e "${SNTLIBDIR}/${i}" ] && cp -f ${V} "${j}/${i}" "${SNTLIBDIR}/" done; done echo "/lib" >> "${SNTETCDIR}/ld.so.conf" ldconfig -f "/${ETC}/ld.so.conf" -C "/${ETC}/ld.so.cache" "${V}" -r "${SNTDIR}" 2>/dev/null egrep "^${SNTUSER}:" /etc/passwd > "${SNTETCDIR}/passwd" egrep "^${SNTGROUP}:" /etc/group > "${SNTETCDIR}/group" cp -fa ${V} ./snort "${SNTDIR}/" cat ${PROGNAME} | sed 's/^SNTIF=.\+$/SNTIF='${NEWIF}'/' > "${SNTDIR}/${PROGNAME}" chmod 500 "${SNTDIR}/snortstart" [ -e vision-lib ] && [ -f vision-lib ] && cp -fa ${V} vision-lib "${SNTDIR}/" [ -e update-vision ] && [ -f update-vision ] && cp -fa $V update-vision "${SNTDIR}/" ! chown -R ${V} ${SNTUSER}.${SNTGROUP} "${SNTDIR}" && cleanexit 1 ! chmod -R ${V} o-rwx "${SNTDIR}" && exit 1 good "Snort installation in ${SNTDIR} completed." echo "Type ${SNTDIR}/snortstart to run snort daemon using interface ${NEWIF}." good "Log files go in ${SNTLOGDIR}." cleanexit 0 } function check_sanity(){ [ ! -e "${SNTDIR}/snort" ] && bad "Cant find snort executable. Exiting..." && cleanexit 1 [ ! -f "${SNTDIR}/snort" ] && bad "snort is not a regular file. Exiting..." && cleanexit 1 [ ! -x "${SNTDIR}/snort" ] && bad "Cant execute snort. Exiting..." && cleanexit 1 [ ! -e "${SNTLOGDIR}" ] && bad "Cant find ${SNTLOGDIR}. Exiting..." && cleanexit 1 [ ! -d "${SNTLOGDIR}" ] && bad "${SNTLOGDIR} is not a directory. Exiting..." && cleanexit 1 } function sethomenet() { if [ "$1" ]; then IP=`ifconfig ${1} | grep 'inet ' | awk '{print $2}' | sed 's/^[^[:digit:]]\+//g'` IP=`echo $IP | sed -n 's/\([[:digit:]]\+.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\)/\1/p'` [ ! "$IP" ] && bad "Cannot get ip from interface ${1}" && cleanexit 1 fi HOME_NET="${IP}/${NET}" [ ! -z "${VERBOSE}" ] && inf "HOME_NET is set to ${HOME_NET}" } function run() { pushd "${SNTDIR}" > /dev/null 2>&1 && \ cmd="./snort ${DAEMON} -i ${SNTIF} -${OPTIONS} -c ${SNTRULESFILE} -g ${SNTGROUP} -u ${SNTUSER} -t . -l ${LOG}" cmd=${cmd}" -h ${HOME_NET} -S HOME_NET=${HOME_NET}"; [ "${RESTART}" ] && ! kill -TERM ${SNTPID} && cleanexit 1 rm -f "${SNTPIDDIR}/snort_${SNTIF}.pid" echo "Running command :" echo ${cmd} ${cmd} && good "Started" popd > /dev/null 2>&1 sleep 1 SNTPID=`[ -f "${SNTPIDDIR}/snort_${SNTIF}.pid" ] && cat "${SNTPIDDIR}/snort_${SNTIF}.pid" ` [ ! -z "${SNTPID}" ] && running "${SNTPID}" && good "Snort running under PID ${SNTPID}, listening interface ${SNTIF}." ! running "${SNTPID}" && bad "Snort failed to start." && cleanexit 1 chown ${SNTUSER}.${SNTGROUP} ${LOG}/* } function stop() { echo -n "Snort [${SNTPID}]... " if [ ! -z "${SNTPID}" ] && running "${SNTPID}" then if kill -TERM ${SNTPID} then good "Stopped" rm -f "${SNTPIDDIR}/snort_${SNTIF}.pid" cleanexit 0 else bad "Not stopped" fi else bad "Not running" fi } trap cleanexit TERM HUP INT if [ "$1" = "--help" ]; then printhelp cleanexit fi while getopts ":hi:d:Dvsn:N:o:" opt; do case $opt in i ) INIT_IF=$OPTARG SNTIF=${INIT_IF} ;; d ) DIR=$OPTARG ;; h ) printhelp cleanexit ;; D ) inf "Debug mode enabled." DAEMON="" V="-v" ;; v ) inf "Verbose mode enabled." VERBOSE="yes" ;; s ) STOP="yes" ;; n ) AUTO_IP="" IP=$OPTARG ;; N ) NET=$OPTARG;; o ) OPTIONS=$OPTARG;; * ) printhelp cleanexit 1 esac done title checkifroot checkneeded setdirs ${DIR} if [ ! -z "${AUTO_IP}" ]; then sethomenet ${SNTIF} else sethomenet fi [ ! -z "${INIT_IF}" ] && init ${INIT_IF} && cleanexit 0 SNTPID=`getpid ${SNTIF}` SNTUSER=`setuser ${SNTIF}` SNTGROUP=`setgroup ${SNTIF}` if [ ! -z "${STOP}" ]; then stop cleanexit 0 fi running "${SNTPID}" && inf "Snort already running under PID ${SNTPID}. RESTARTING ..." && RESTART="yes" check_sanity run cleanexit 0