RE: stop/start

[TN]

Given the original script submitted by [EMAIL PROTECTED]:

#!/bin/perl
$date = `date | awk '{print $4}'`;
$snoop = "/usr/sbin/snoop";
$filename = "`date +%y%m%d%H%M`.sno";
$logfile = "/opt/$filename";
$pid = `/bin/pgrep snp.pl`;
 
system("/usr/sbin/snoop -d ge0 -ta >> $logfile &");

 
until ("1" eq "0"){
if ($date == "00:00:00"){
system("/bin/pkill -P $pid");
print "=========== `date` ==================\n" > $logfile;
system("/usr/sbin/snoop -d ge0 -ta >> $logfile &"); }
  }

It seems to me that this will run in a busy loop continually checking
the time.  

I see two better alternatives: (1) Use cron as already suggested to
eliminate the until loop in the script; (2) Run the script as a daemon
that occasionally checks the time and every 24hrs creates a new logfile.

I don't see the point of using perl for either since (2) can be done
easily with a Bourne shell script, something like this:

 #!/bin/sh
 # untested daemon for logging snoop output
 interval=60 # seconds between checking day change
 pid = `/bin/pgrep snp.pl`
 while :
 do
   day="`date +%d`"
   date=`date +%y%m%d%H%M`
   logfile="/opt/${date}.sno"
   echo $date > $logfile
   /usr/sbin/snoop -d ge0 -ta >> $logfile &
   while :
   do
     sleep $interval
     newday="`date +%d`"
     if [ a$day -ne a$newday ]
     then kill -9 $pid # I believe in sure kills
          break # out of inner while loop
     fi
   done
 done

This needs testing, particularly regarding the success of the kill, but
I would not fix what ain't broke.

The use of snoop with your given options and ge0 device descriptor
confirms that you are running SunOS: on Linux I would use tcpdump which
is available on Solaris also and is more versatile for later analyisis
of the logs with some tools including ethereal (www.ethereal.com).

If you need an excellent, opensource IDS, Snort's the best beast
(www.snort.org).  Why else would you dedicate a machine to promiscuous
mode?
        
--
Tris Nefzger

-----Original Message-----
From: Stephen Hardisty [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 22, 2003 5:10 PM
To: Perl List
Subject: Re: stop/start


> $SIG{ALRM} = {
>     `this-script`;
>     exit;
> };

Sorry, didn't think it through (before anybody notices.....). Remove the
thing that executes the script (the bit in backticks) and just have the
process start on a cron job.

Tired, apologies.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]