#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
#               currently detects more than 1100 host and network
#               vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave@linuxsecurity.com>
#   - initial version
# July 08, 2000 Dave Wreski <dave@guardiandigital.com>
#   - added snort user/group
#   - support for 1.6.2
# April 11, 2001 Sandro Poppi <spoppi@gmx.de>
#   - added multiple interfaces option for use with dial up lines
#     or more than one sniffer interface
#     I don't think the libpcap option to use "-i any" is a good choice,
#     because snort would be set up to monitor one or more ip-less interfaces
#     while leaving the monitor interface "unprotected"
#   - changed the subsystem name from snort to snortd to get rid of error messages
#     when rebooting (the killall script on a redhat box depends on the correct name)
#   - added a function daemonMult derived from the function daemon in /etc/rc.d/init.d/functions
#     to allow starting multiple instances of snort with the convenience of the daemon function
#     (eventually this could be integrated into the normal daemon function of redhat, have to get
#     in touch with the author)
# January 01, 2002 Sandro Poppi <spoppi@gmx.de>
#   - added check if swatch is installed
#   - added check for interfaces other than ethernet since only those are expected to work with ifconfig
#
# Source function library.
. /etc/rc.d/init.d/functions

# A function to start a program even more than once
# rewritten version of the daemon function in /etc/rc.d/init.d/functions
daemonMult() {
        # Test syntax.
        gotbase=
        user=
        nicelevel=0
        while [ "$1" != "${1##-}" -o "$1" != "${1##+}" ]; do
          case $1 in
            '')    echo '$0: Usage: daemon [+/-nicelevel] {program}'
                   return 1;;
            --check)
                   shift
                   base=$1
                   gotbase="yes"
                   shift
                   ;;
            --user)
                   shift
                   daemon_user=$1
                   shift
                   ;;
            -*|+*) nicelevel=$1
                   shift
                   ;;
             *)    nicelevel=0
                   ;;
          esac
        done

        # Save basename.
        [ -z $gotbase ] && base=`basename $1`

        # make sure it doesn't core dump anywhere; while this could mask
        # problems with the daemon, it also closes some security problems
        ulimit -S -c 0 >/dev/null 2>&1

        # Echo daemon
        [ "$BOOTUP" = "verbose" ] && echo -n " $base"

        # And start it up.
        if [ -z "$daemon_user" ]; then
           nice -n $nicelevel initlog $INITLOG_ARGS -c "$*" && success "$base startup" || failure "$base startup"
        else
           nice -n $nicelevel initlog $INITLOG_ARGS -c "su $daemon_user -c \"$*\"" && success "$base startup" || failure "$base startup"
        fi
}

# Specify your network interface(s) here
INTERFACE="ippp0 ippp1"

# See how we were called.
case "$1" in
start)
        if [ -x /usr/bin/swatch ] ; then
          echo -n "Starting swatch: "
          # inserted poppi to make use of swatch
          # starting it before snort to get hints on startup errors of snort
          # if using the snort option -s use /var/log/secure,
          # if using output alert_syslog: in snort.conf use /var/log/messages
          /usr/bin/swatch --daemon --tail /var/log/messages --config-file /etc/swatch/swatchrc &
          touch /var/lock/subsys/swatch
          echo "done."
          echo
        fi

        # added multiple interfaces option
        for i in `echo "$INTERFACE"` ; do
          echo -n "Starting snort on interface $i: "
          # inserted to implement ip-less sniffer interface for snort at startup
          # if the interface is not yet loaded or if the interface isn't up yet
          if [ `/sbin/ifconfig $i 2>&1 | /bin/grep -c "Device not found"` = "0" \
               -o `/sbin/ifconfig $i 2>&1 | /bin/grep -c "UP"` = "0" ] ; then

            # check for interfaces other than ethernet!
            if [ `echo $i | /bin/grep -c "^eth"` = "1" ] ; then
              # check if there is a config for the given interface
              # normally this should be omitted for security reasons for a sniffer interface
              if [ -s "/etc/sysconfig/network-scripts/ifcfg-$i" ]; then
                # use the config
                /sbin/ifup $i
              else
                # ip less sniffer interface
                /sbin/ifconfig $i up promisc
              fi
            fi
          fi
          # call the rewritten daemon function from above
          daemonMult /usr/sbin/snort -u snort -g snort -d -D \
                 -i $i -I -l /var/log/snort -c /etc/snort/snort.conf
          echo
        done

        touch /var/lock/subsys/snortd

        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snortd

        # inserted Poppi
        if [ -x /usr/bin/swatch ] ; then
          echo
          echo -n "Stopping swatch: "
          kill `ps x|grep "/usr/bin/swatch"|grep -v grep|awk '{ print $1 }'`
          rm -f /var/lock/subsys/swatch
        fi

        # shutdown interface if and only if it has NO ip address
        # and if it is a ethernet interface
        # this is done because we don't want to shutdown interfaces still needed
        for i in `echo "$INTERFACES"`; do
          if [`echo $i | /bin/grep -c "^eth"` = "1" -a \ 
              `/sbin/ifconfig $i 2>&1 | /bin/grep -c "inet addr:"` = "0" ] ; then
            /sbin/ifconfig $i down
          fi
        done
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        #status swatch
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac
exit 0