[Snort-users] Reload Snort to use new ruleset

Marcos Rodriguez marcos.e.rodriguez at ...11827...
Tue Jul 26 16:50:52 EDT 2011


On Tue, Jul 26, 2011 at 4:44 PM, Castle, Shane <scastle at ...14946...>wrote:

> The command "kill -SIGHUP <pid>" has not worked for some time with Snort
> IIRC (nor pkill, which I had been using before) and the suggested init.d
> entry for controlling snort does not use it, either, but rather stop and
> start:
>
>    restart|reload)
>        $0 stop
>        $0 start
>
> I suspect the doc needs updating.
>
> Add in using barnyard2 and things get more interesting. Here is my current
> cron script that uses oinkmaster (no pulledpork suggestions please):
>
> #!/bin/bash
> cd /etc/snort
> /sbin/service barnyard2 stop
>
> ./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C
> ./oinkmaster.conf >oink.out 2>&1
>
> ./create-sidmap.pl rules >sid-msg.map
> /sbin/service snort restart
> /sbin/service barnyard2 start
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
> -----Original Message-----
> From: RICHARD METZER [mailto:rlmst26 at ...14704...]
> Sent: Tuesday, July 26, 2011 14:24
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Reload Snort to use new ruleset
>
> I understand the command kill -SIGHUP <pid> should reload Snort with the
> ability to read an updated ruleset.  However, it only seems to kill it.  I
> am manually adding new rules, so I would like to reload Snort to avoid any
> downtime monitoring.  I used the -enable-reload switch when I compiled Snort
> on an Ubuntu OS.  What am I missing?
>
>
> Thanks in advance,
>
> Rick
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> As I understand the command kill -SIGHUP <pid> should reload Snort with the
> ability to read an updated ruleset; however, it only seems to kill it.  I am
> manually adding new rules, so I would like to reload Snort to avoid any
> downtime monitoring.  I used the --enable-reload switch when I compiled
> Snort. What am I missing?
>
> Thanks in advance!
> Rick
>
>


Hi Gents,

You need to make sure Snort is compiled with the --enable-reload switch in
your ./configure line.  This is to allow continued inspection when you make
changes to your active .conf file.  Hope this helps!

marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110726/30266849/attachment.html>


More information about the Snort-users mailing list