Snort mailing list archives

Re: Restart snort inline without traffic loss?

From: Y M <snort () outlook com>
Date: Wed, 6 Feb 2013 13:35:14 +0300

If Snort is configured with reload option such as --enable-reload, then you can supply the -H argument to pulledpork 
whenever it is run. This will cause Snort to reload the new signatures processed by pulledpork without having to 
shutdown the Snort process. However, there are certain limits to what can be reloaded, such as dynamic libraries, 
output plugins, and other configurations from the snort.conf file.

YM
________________________________
From: Andy<mailto:a_w_smith () yahoo co uk>
Sent: ‎2/‎6/‎2013 1:27 PM
To: 'Heine Lysemose'<mailto:lysemose () gmail com>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Hi,

I am already using pulledpork, how can I use this to help with my issues?

Thanks,
Andy.

-----Original Message-----
From: Heine Lysemose [mailto:lysemose () gmail com]
Sent: Tuesday, February 05, 2013 9:02 PM
To: Andy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Hi Andy

On Feb 5, 2013 9:30 PM, "Andy" <a_w_smith () yahoo co uk> wrote:


Hi,

I am new to snort, I have it installed on a web server running inline

mode

with iptables, nfqueue, barnyard2 and snorby.

I've downloaded the emerging threats rules, firstly all the rules are
alerts, do I have to convert these to drop if I want to drop the

traffic?

Have a look at Pulledpork,  http://code.google.com/p/pulledpork/, it will
do this for you + a lot of other cool things.

Assuming I do, how do I restart snort without loosing good traffic,
currently if I kill the process and restart I lose about 30 seconds of
traffic while snort restarts, not good on an ecommerce site.

I also would like a fail safe nfqueue bypass in case things go wrong, at

the

moment if snort goes down I also get locked out but its on a cron job to
restart if its down for more than 1 minute.

I need some advice please..

Thanks.


Regards,
Lysemose


------------------------------------------------------------------------

------

Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!




------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Restart snort inline without traffic loss? Andy (Feb 05)
- Re: Restart snort inline without traffic loss? Heine Lysemose (Feb 05)
  - Re: Restart snort inline without traffic loss? Andy (Feb 06)
- Re: Restart snort inline without traffic loss? Mitesh Jadia (Feb 06)
  - Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- <Possible follow-ups>
- Re: Restart snort inline without traffic loss? Y M (Feb 06)
  - Re: Restart snort inline without traffic loss? Andy (Feb 07)
    - Re: Restart snort inline without traffic loss? Joel Esler (Feb 07)
    - Re: Restart snort inline without traffic loss? Andy (Feb 08)
    - Re: Restart snort inline without traffic loss? waldo kitty (Feb 07)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
  - Re: Restart snort inline without traffic loss? Andy (Feb 08)
    - Re: Restart snort inline without traffic loss? Joel Esler (Feb 08)
    - Re: Restart snort inline without traffic loss? Jeremy Hoel (Feb 08)
    - Re: Restart snort inline without traffic loss? waldo kitty (Feb 08)
    - Re: Restart snort inline without traffic loss? Andy (Feb 08)

(Thread continues...)