[Snort-users] Reload Snort to use new ruleset

Lay, James james.lay at ...15009...
Tue Jul 26 18:19:01 EDT 2011


I didn't know that on the sid-msg.map file..thanks for the heads up
Joel.  If I run into any issues with the restart I'll let you know, but
so far it's ran like a champ.

James

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Tuesday, July 26, 2011 3:59 PM
> To: Lay, James
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Reload Snort to use new ruleset
> 
> If there are errors with restart, we'd like a bug report.  However, I
don't
> know of any off the top of my head, and as far as I know it works with
> regard to the documentation.
> 
> You will need to restart barnyard if you need it to re-read the
sid-msg.map
> file.
> 
> J
> 
> On Jul 26, 2011, at 5:44 PM, Lay, James wrote:
> 
> > Odd...I've had no issues with sending SIGHUP to snort 2.9.0.5.
Also,
> > I don't think you need to kill barnyard2 every time you restart
> > snort....barnyard2 is smart enough to start reading the new unified
> > file once it's created (I think that's what the -d directive is
for):
> >
> > Jul 26 15:25:29 ids barnyard2[15104]: Closing spool file
> > '/opt/var/log/lan/lan.u2.1311714681'. Read 4 records Jul 26 15:25:29
> > ids barnyard2[15104]: Opened spool file
> > '/opt/var/log/lan/lan.u2.1311715529'
> > Jul 26 15:25:29 ids barnyard2[15104]: Waiting for new data
> >
> > James
> >
> >> -----Original Message-----
> >> From: Castle, Shane [mailto:scastle at ...14946...]
> >> Sent: Tuesday, July 26, 2011 2:45 PM
> >> To: RICHARD METZER; snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Reload Snort to use new ruleset
> >>
> >> The command "kill -SIGHUP <pid>" has not worked for some time with
> > Snort
> >> IIRC (nor pkill, which I had been using before) and the suggested
> > init.d
> >> entry for controlling snort does not use it, either, but rather
stop
> > and
> >> start:
> >>
> >>    restart|reload)
> >>        $0 stop
> >>        $0 start
> >>
> >> I suspect the doc needs updating.
> >>
> >> Add in using barnyard2 and things get more interesting. Here is my
> > current
> >> cron script that uses oinkmaster (no pulledpork suggestions
please):
> >>
> >> #!/bin/bash
> >> cd /etc/snort
> >> /sbin/service barnyard2 stop
> >>
> >> ./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C
> >> ./oinkmaster.conf >oink.out 2>&1
> >>
> >> ./create-sidmap.pl rules >sid-msg.map /sbin/service snort restart
> >> /sbin/service barnyard2 start
> >>
> >> --
> >> Shane Castle
> >> Data Security Mgr, Boulder County IT
> >> CISSP GSEC GCIH
> >>
> >> -----Original Message-----
> >> From: RICHARD METZER [mailto:rlmst26 at ...14704...]
> >> Sent: Tuesday, July 26, 2011 14:24
> >> To: snort-users at lists.sourceforge.net
> >> Subject: [Snort-users] Reload Snort to use new ruleset
> >>
> >> I understand the command kill -SIGHUP <pid> should reload Snort
with
> > the
> >> ability to read an updated ruleset.  However, it only seems to kill
> > it.  I
> >> am manually adding new rules, so I would like to reload Snort to
> >> avoid
> > any
> >> downtime monitoring.  I used the -enable-reload switch when I
> >> compiled
> > Snort
> >> on an Ubuntu OS.  What am I missing?
> >>
> >>
> >> Thanks in advance,
> >>
> >> Rick
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> As I understand the command kill -SIGHUP <pid> should reload Snort
> > with the
> >> ability to read an updated ruleset; however, it only seems to kill
it.
> > I am
> >> manually adding new rules, so I would like to reload Snort to avoid
> > any
> >> downtime monitoring.  I used the --enable-reload switch when I
> > compiled
> >> Snort. What am I missing?
> >>
> >> Thanks in advance!
> >> Rick
> >>
> >>
> >
----------------------------------------------------------------------
> > --
> > ----
> >> --
> >> Got Input?   Slashdot Needs You.
> >> Take our quick survey online.  Come on, we don't ask for help
often.
> >> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> >> http://p.sf.net/sfu/slashdot-survey
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please see http://www.snort.org/docs for documentation
> >
> >
------------------------------------------------------------------------
--
> ----
> > Got Input?   Slashdot Needs You.
> > Take our quick survey online.  Come on, we don't ask for help often.
> > Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> > http://p.sf.net/sfu/slashdot-survey
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation





More information about the Snort-users mailing list