[Snort-devel] Resetting Snort without reloading everything

Mike Cox mike.cox52 at ...2499...
Tue Mar 31 08:33:46 EDT 2015


I'm wanting to run a large number of independent pcaps thru Snort and would
like to be able to "reset" Snort after each run so that, particularly, I
can move off the alert files after each run and link them with the pcap.
Currently I do separate Snort runs for each pcap but this adds unnecessary
overhead and time since the rules, configs, preprocs, etc. have to get
loaded for each run.  I do this because Snort maintains an open file
handle(s) to the alert file(s) and doesn't always immediately flush alerts
to disk so I send a kill signal to Snort and wait until the file handles
are released before processing the alert file(s).

Is there an easy way to reset Snort without having to restart it and reload
all the rules, etc.? Or is there a way to have the engine flush everything
to detection and flush alerts to disk that I could invoke after I know the
pcap has all been sent to Snort?

There appears to be some solutions that are close to what I want but not
quite -- I know you can send a signal (default SIGUSR2) to Snort to rotate
stats and in pcap run mode you can tell Snort to reset after each pcap but
it still logs everything to the same alert file(s).

I don't see an inherent way to have Snort do what I want so my next thought
is to modify the code to do this.  Could someone point me in the right
direction? It seems that this functionality is already there in the code
for the most part (indicated by the fact that you can have Snort reset
between pcaps in pcap run mode) I just need to be able to call it (e.g.
listen for a signal) and make sure that when I reset Snort I am in fact
"doing it right" and not missing anything. I'm hoping that some assistance
regarding the latter will save me some time going thru the code. At this
point I'm mostly concerned about alerts and not so much about engine/perf
stats so forcing flushing to detection and flushing to disk (and
appropriately dealing with the file handle(s)) is my main concern.  Any
help is appreciated.

Thank you.

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150331/91bd790f/attachment.html>


More information about the Snort-devel mailing list