[Snort-devel] O Snort development gurus!

Dragos Ruiu dr at ...40...
Sun Oct 6 18:22:02 EDT 2002

On October 4, 2002 02:32 am, Erek Adams wrote:
> > This is not what I am suggesting. To clarify, I would like to see a
> > feature where snort has the ability to load new rules, reload changed
> > rules, and remove rules without requiring a process restart. The action
> > would idealy be initiated either a) manually, b) automatically after a
> > rule has been modified, or c) automatically after a rule has been added
> > or removed from the ruleset. It would *not* occur each time a packet is
> > processed. It should only occur in the situations mentioned above.
> I understand what you are suggesting, but what you want isn't possible--At
> this time.  Donald was right:  ...snort reads the rules and 'compiles'
> them... I don't know if you've dug into the code, but due to the way snort
> works, it builds the rulelist once when it's started.  (Check FAQ 3.13)

It's not impossible. It may be difficult in the current structure. It may even 
be more difficult wihout pausing processing or incurring the risk of losing 
packets during recompilation.  But not impossible by any means.


dr at ...40...   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002

More information about the Snort-devel mailing list