Find the answer to your Linux question:
Results 1 to 2 of 2
Hi again Forum! I have a set of scripts that (with one exception...) work great to check if certain processes are running, and if not then starts those processes. Without ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! adamdaughterson's Avatar
    Join Date
    Mar 2003
    Location
    Denver, Colorado, USA
    Posts
    78

    running arpwatch in ssh command has interesting results


    Hi again Forum!

    I have a set of scripts that (with one exception...) work great to check if certain processes are running, and if not then starts those processes. Without further preamble...

    Code:
    #!/bin/bash
    
    SENSORLIST=( qa-ids-sensor1 lv-ids-sensor1 lv-ids-sensor2 cp-ids-sensor1 cp-ids-sensor2 )
    
    count=${#SENSORLIST[@]}
    
    is_arpwatch_running()
    {
    index=0
    while [ $index -lt $count ]
    do
    	arpwatch_ps_cmd=`ssh ${SENSORLIST[$index]} "ps -e|grep arpwatch"`
    	if [ "$arpwatch_ps_cmd" != "" ]
    	then
    		echo "${SENSORLIST[$index]}: results: $arpwatch_ps_cmd"
    	else
    		ssh ${SENSORLIST[$index]} "exec arpwatch -d -i eth0 -f /var/lib/arpwatch/arp.dat >> /var/log/ossim/arpwatch.log &"
    		sleep 10
    		echo $arpwatch_ps_cmd
    		echo "arpwatch started on $SENSORLIST[$index]}:
    	fi
    	let "index = $index + 1"
    done
    }
    
    is_snort_running()
    {
    index=0
    while [ $index -lt $count ]
    do
    	snort_ps_cmd=`ssh ${SENSORLIST[$index]} "ps -e|grep snort"`
    	if [ "$snort_ps_cmd" !=  "" ]
    	then
    		echo "${SENSORLIST[$index]}: results: $snort_ps_cmd"
    	else
    		ssh ${SENSORLIST[$index]} "exec /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -o -D"
    		sleep 10
    		echo $snort_ps_cmd
    		echo "Snort started on ${SENSORLIST[$index]}"
    	fi
        let "index = $index + 1"	
    done
    }
    
    is_p0f_running()
    {
    index=0
    while [ $index -lt $count ]
    do
    	p0f_ps_cmd=`ssh ${SENSORLIST[$index]} "ps -e|grep p0f"`
    	if [ "$p0f_ps_cmd" !=  "" ]
    	then
    		echo "${SENSORLIST[$index]}: results: $p0f_ps_cmd"
    	else
    		ssh ${SENSORLIST[$index]} "exec /usr/sbin/p0f -i eth0 -lUNtd -o /var/log/ossim/p0f.log"
    		sleep 10
    		echo $p0f_ps_cmd
    		echo "p0f started on ${SENSORLIST[$index]}"
    	fi
        let "index = $index + 1"	
    done
    }
    
    is_snort_running
    is_p0f_running
    is_arpwatch_running
    So the parts that look to see if snort and p0f are running work great: if they aint running, the script starts 'em. When it gets to arpwatch, on the other hand, it hangs once arpwatch starts.
    I have removed the script part from the equation and just run from the command like like so:
    Code:
    #on local machine
    arpwatch -d -i eth0 -f /var/lib/arpwatch/arp.dat >> /var/log/ossim/arpwatch.log &
    [1] 21315
    ...which is the only expected output. Then I run it with ssh from the remote machine:
    Code:
    ssh "arpwatch -d -i eth0 -f /var/lib/arpwatch/arp.dat >> /var/log/ossim/arpwatch.log &"
    #hang hang hang hang
    Ctrl-C
    
    ssh "exec arpwatch -d -i eth0 -f /var/lib/arpwatch/arp.dat >> /var/log/ossim/arpwatch.log &"
    #the exec part should keep the script from forking and kill the subshell right?
    #hang hang hang hang hang
    ..and so on.
    So can anyone offer any advice on this weird behaviour? It appears to me that when arpwatch is run from ssh that some bit of output is getting caught and not letting the shell die in peace.

    Thanks!

    Adam

  2. #2
    Just Joined! adamdaughterson's Avatar
    Join Date
    Mar 2003
    Location
    Denver, Colorado, USA
    Posts
    78
    Anyone? Bueler?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •