[Snort-users] Reload Snort to use new ruleset

Lay, James james.lay at ...15009...
Tue Jul 26 17:44:23 EDT 2011


Odd...I've had no issues with sending SIGHUP to snort 2.9.0.5.  Also, I
don't think you need to kill barnyard2 every time you restart
snort....barnyard2 is smart enough to start reading the new unified file
once it's created (I think that's what the -d directive is for):

Jul 26 15:25:29 ids barnyard2[15104]: Closing spool file
'/opt/var/log/lan/lan.u2.1311714681'. Read 4 records
Jul 26 15:25:29 ids barnyard2[15104]: Opened spool file
'/opt/var/log/lan/lan.u2.1311715529'
Jul 26 15:25:29 ids barnyard2[15104]: Waiting for new data

James 

> -----Original Message-----
> From: Castle, Shane [mailto:scastle at ...14946...]
> Sent: Tuesday, July 26, 2011 2:45 PM
> To: RICHARD METZER; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Reload Snort to use new ruleset
> 
> The command "kill -SIGHUP <pid>" has not worked for some time with
Snort
> IIRC (nor pkill, which I had been using before) and the suggested
init.d
> entry for controlling snort does not use it, either, but rather stop
and
> start:
> 
>     restart|reload)
>         $0 stop
>         $0 start
> 
> I suspect the doc needs updating.
> 
> Add in using barnyard2 and things get more interesting. Here is my
current
> cron script that uses oinkmaster (no pulledpork suggestions please):
> 
> #!/bin/bash
> cd /etc/snort
> /sbin/service barnyard2 stop
> 
> ./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C
> ./oinkmaster.conf >oink.out 2>&1
> 
> ./create-sidmap.pl rules >sid-msg.map
> /sbin/service snort restart
> /sbin/service barnyard2 start
> 
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
> 
> -----Original Message-----
> From: RICHARD METZER [mailto:rlmst26 at ...14704...]
> Sent: Tuesday, July 26, 2011 14:24
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Reload Snort to use new ruleset
> 
> I understand the command kill -SIGHUP <pid> should reload Snort with
the
> ability to read an updated ruleset.  However, it only seems to kill
it.  I
> am manually adding new rules, so I would like to reload Snort to avoid
any
> downtime monitoring.  I used the -enable-reload switch when I compiled
Snort
> on an Ubuntu OS.  What am I missing?
> 
> 
> Thanks in advance,
> 
> Rick
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> As I understand the command kill -SIGHUP <pid> should reload Snort
with the
> ability to read an updated ruleset; however, it only seems to kill it.
I am
> manually adding new rules, so I would like to reload Snort to avoid
any
> downtime monitoring.  I used the --enable-reload switch when I
compiled
> Snort. What am I missing?
> 
> Thanks in advance!
> Rick
> 
>
------------------------------------------------------------------------
----
> --
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation




More information about the Snort-users mailing list