[Snort-devel] Resetting Snort without reloading everything
huica at ...3461...
Tue Mar 31 09:09:59 EDT 2015
You can combine ScPcapReset() with SetRotatePerfFileFlag(void) in snort.c
On 03/31/2015 08:33 AM, Mike Cox wrote:
> I'm wanting to run a large number of independent pcaps thru Snort and
> would like to be able to "reset" Snort after each run so that,
> particularly, I can move off the alert files after each run and link
> them with the pcap. Currently I do separate Snort runs for each pcap
> but this adds unnecessary overhead and time since the rules, configs,
> preprocs, etc. have to get loaded for each run. I do this because
> Snort maintains an open file handle(s) to the alert file(s) and
> doesn't always immediately flush alerts to disk so I send a kill
> signal to Snort and wait until the file handles are released before
> processing the alert file(s).
> Is there an easy way to reset Snort without having to restart it and
> reload all the rules, etc.? Or is there a way to have the engine flush
> everything to detection and flush alerts to disk that I could invoke
> after I know the pcap has all been sent to Snort?
> There appears to be some solutions that are close to what I want but
> not quite -- I know you can send a signal (default SIGUSR2) to Snort
> to rotate stats and in pcap run mode you can tell Snort to reset after
> each pcap but it still logs everything to the same alert file(s).
> I don't see an inherent way to have Snort do what I want so my next
> thought is to modify the code to do this. Could someone point me in
> the right direction? It seems that this functionality is already there
> in the code for the most part (indicated by the fact that you can have
> Snort reset between pcaps in pcap run mode) I just need to be able to
> call it (e.g. listen for a signal) and make sure that when I reset
> Snort I am in fact "doing it right" and not missing anything. I'm
> hoping that some assistance regarding the latter will save me some
> time going thru the code. At this point I'm mostly concerned about
> alerts and not so much about engine/perf stats so forcing flushing to
> detection and flushing to disk (and appropriately dealing with the
> file handle(s)) is my main concern. Any help is appreciated.
> Thank you.
> -Mike Cox
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel