[Snort-devel] snort inline mode and bridge

Vincent Li vincent.mc.li at ...2499...
Wed Oct 26 17:02:00 EDT 2016


it is not a problem, but some optimal improvement I would like to see.
I have a lower end PC with two NIC running snort IPS bridge mode
between my ISP modem and my  router at home.  I use pulledpork to
update signatures every day and I scripted snort to restart to take
the updated signatures after new signatures finishing downloading. the
snort restart takes about 5  minutes to finish and during these 5
minutes period, my home Internet is down since snort start the DAQ
bridge after  SnortInit which take most of the time I think. btw I
have not tried snort reload

my question is : can the DAQ bridge be started earlier in the snort
startup process, maybe before SnortInit , so that traffic can be
passed through early to reduce the network connectivity downtime to
minimum.

let me know if I made myself clear :)



Thanks

Vincent

On Tue, Oct 25, 2016 at 11:31 AM, Russ <rucombs at ...3461...> wrote:
> Please restate the original problem.  I don't think fail open is what
> you are after.
>
> On 10/25/16 2:03 PM, Vincent Li wrote:
>> On Thu, Oct 13, 2016 at 8:26 PM, Y M <snort at ...3347...> wrote:
>>> Hello Vincent,
>>>
>>>
>>> I haven't tried this before, but when building Snort, there is this build
>>> option:
>>>
>>>
>>> "--enable-inline-init-failopen  Enable Fail Open during initialization for
>>> Inline Mode (adds pthread support implicitly)"
>>>
>>>
>>> Have you tried this? I would be interested to know if this achieves what you
>>> need.
>>>
>> so I tried to build snort with --enable-inline-init-failopen, it did
>> not sovle the problem I have.  it looks to me the InlineFailOpen is
>> called near to the end of  SnortMain after SnortInit (which take most
>> of the time during snort restart) and before PacketLoop();
>>
>> I tried to hack the code to call InlineFailOpen before SnortInit, but
>> I had memory segment fault after starting up snort and pass traffic
>> through it, I assume some memory has to be allocated before starting
>> up the DAQ bridge, any further clue?
>>
>> maybe some improvement needed in line with the idea of InlineFailOpen ?
>>
>> Thanks
>>
>> Vincent
>>
>> ------------------------------------------------------------------------------
>> The Command Line: Reinvented for Modern Developers
>> Did the resurgence of CLI tooling catch you by surprise?
>> Reconnect with the command line and become more productive.
>> Learn the new .NET and ASP.NET CLI. Get your free copy!
>> http://sdm.link/telerik
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> The Command Line: Reinvented for Modern Developers
> Did the resurgence of CLI tooling catch you by surprise?
> Reconnect with the command line and become more productive.
> Learn the new .NET and ASP.NET CLI. Get your free copy!
> http://sdm.link/telerik
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list