[Snort-devel] snort inline mode and bridge

Vincent Li vincent.mc.li at ...2499...
Thu Oct 27 13:45:39 EDT 2016


thanks! I guess daily signatures update is reloadable config for snort
reload, so I will just use reload.

On Thu, Oct 27, 2016 at 3:51 AM, Russ <rucombs at ...3461...> wrote:
>
>
> On 10/26/16 5:02 PM, Vincent Li wrote:
>>
>> it is not a problem, but some optimal improvement I would like to see.
>> I have a lower end PC with two NIC running snort IPS bridge mode
>> between my ISP modem and my  router at home.  I use pulledpork to
>> update signatures every day and I scripted snort to restart to take
>> the updated signatures after new signatures finishing downloading. the
>> snort restart takes about 5  minutes to finish and during these 5
>> minutes period, my home Internet is down since snort start the DAQ
>> bridge after  SnortInit which take most of the time I think. btw I
>> have not tried snort reload
>
> You should try reload, that is exactly what it is for.  Snort will keep
> running during the reload so you don't have that downtime.
>>
>>
>> my question is : can the DAQ bridge be started earlier in the snort
>> startup process, maybe before SnortInit , so that traffic can be
>> passed through early to reduce the network connectivity downtime to
>> minimum.
>
> Snort has "fail open" support during startup because some initialization
> must be done after opening the DAQ interfaces. During that time, which is
> typically very brief, it will pass packets so your network remains
> functional.  However, most of the startup time is prior to the fail open
> state.  The change you suggest is possible but reload should make it
> unnecessary.
>
>>
>> let me know if I made myself clear :)
>>
>>
>>
>> Thanks
>>
>> Vincent
>>
>> On Tue, Oct 25, 2016 at 11:31 AM, Russ <rucombs at ...3461...> wrote:
>>>
>>> Please restate the original problem.  I don't think fail open is what
>>> you are after.
>>>
>>> On 10/25/16 2:03 PM, Vincent Li wrote:
>>>>
>>>> On Thu, Oct 13, 2016 at 8:26 PM, Y M <snort at ...3347...> wrote:
>>>>>
>>>>> Hello Vincent,
>>>>>
>>>>>
>>>>> I haven't tried this before, but when building Snort, there is this
>>>>> build
>>>>> option:
>>>>>
>>>>>
>>>>> "--enable-inline-init-failopen  Enable Fail Open during initialization
>>>>> for
>>>>> Inline Mode (adds pthread support implicitly)"
>>>>>
>>>>>
>>>>> Have you tried this? I would be interested to know if this achieves
>>>>> what you
>>>>> need.
>>>>>
>>>> so I tried to build snort with --enable-inline-init-failopen, it did
>>>> not sovle the problem I have.  it looks to me the InlineFailOpen is
>>>> called near to the end of  SnortMain after SnortInit (which take most
>>>> of the time during snort restart) and before PacketLoop();
>>>>
>>>> I tried to hack the code to call InlineFailOpen before SnortInit, but
>>>> I had memory segment fault after starting up snort and pass traffic
>>>> through it, I assume some memory has to be allocated before starting
>>>> up the DAQ bridge, any further clue?
>>>>
>>>> maybe some improvement needed in line with the idea of InlineFailOpen ?
>>>>
>>>> Thanks
>>>>
>>>> Vincent
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> The Command Line: Reinvented for Modern Developers
>>>> Did the resurgence of CLI tooling catch you by surprise?
>>>> Reconnect with the command line and become more productive.
>>>> Learn the new .NET and ASP.NET CLI. Get your free copy!
>>>> http://sdm.link/telerik
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> Archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The Command Line: Reinvented for Modern Developers
>>> Did the resurgence of CLI tooling catch you by surprise?
>>> Reconnect with the command line and become more productive.
>>> Learn the new .NET and ASP.NET CLI. Get your free copy!
>>> http://sdm.link/telerik
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>
>




More information about the Snort-devel mailing list