[Snort-devel] Resetting Snort without reloading everything

Hui cao huica at ...3461...
Tue Mar 31 09:09:59 EDT 2015


You can combine ScPcapReset() with SetRotatePerfFileFlag(void) in snort.c

Best,
Hui.

On 03/31/2015 08:33 AM, Mike Cox wrote:
> I'm wanting to run a large number of independent pcaps thru Snort and 
> would like to be able to "reset" Snort after each run so that, 
> particularly, I can move off the alert files after each run and link 
> them with the pcap.  Currently I do separate Snort runs for each pcap 
> but this adds unnecessary overhead and time since the rules, configs, 
> preprocs, etc. have to get loaded for each run.  I do this because 
> Snort maintains an open file handle(s) to the alert file(s) and 
> doesn't always immediately flush alerts to disk so I send a kill 
> signal to Snort and wait until the file handles are released before 
> processing the alert file(s).
>
> Is there an easy way to reset Snort without having to restart it and 
> reload all the rules, etc.? Or is there a way to have the engine flush 
> everything to detection and flush alerts to disk that I could invoke 
> after I know the pcap has all been sent to Snort?
>
> There appears to be some solutions that are close to what I want but 
> not quite -- I know you can send a signal (default SIGUSR2) to Snort 
> to rotate stats and in pcap run mode you can tell Snort to reset after 
> each pcap but it still logs everything to the same alert file(s).
>
> I don't see an inherent way to have Snort do what I want so my next 
> thought is to modify the code to do this.  Could someone point me in 
> the right direction? It seems that this functionality is already there 
> in the code for the most part (indicated by the fact that you can have 
> Snort reset between pcaps in pcap run mode) I just need to be able to 
> call it (e.g. listen for a signal) and make sure that when I reset 
> Snort I am in fact "doing it right" and not missing anything. I'm 
> hoping that some assistance regarding the latter will save me some 
> time going thru the code. At this point I'm mostly concerned about 
> alerts and not so much about engine/perf stats so forcing flushing to 
> detection and flushing to disk (and appropriately dealing with the 
> file handle(s)) is my main concern.  Any help is appreciated.
>
> Thank you.
>
> -Mike Cox
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150331/76f29be4/attachment.html>


More information about the Snort-devel mailing list