[Snort-users] Reload Snort to use new ruleset

Paul Schmehl pschmehl_lists at ...14358...
Thu Jul 28 14:26:11 EDT 2011


One minor nit.  Your script should restart barnyard before restarting 
snort.  Otherwise it is possible to catch an alert that won't be classified 
because barnyard has not yet reread the sid-msg.map file.

Yes, I said it's a nit.

--On July 26, 2011 8:44:44 PM +0000 "Castle, Shane" 
<scastle at ...14946...> wrote:

> The command "kill -SIGHUP <pid>" has not worked for some time with Snort
> IIRC (nor pkill, which I had been using before) and the suggested init.d
> entry for controlling snort does not use it, either, but rather stop and
> start:
>
>     restart|reload)
>         $0 stop
>         $0 start
>
> I suspect the doc needs updating.
>
> Add in using barnyard2 and things get more interesting. Here is my
> current cron script that uses oinkmaster (no pulledpork suggestions
> please):
>
># !/bin/bash
> cd /etc/snort
> /sbin/service barnyard2 stop
>
> ./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C
> ./oinkmaster.conf >oink.out 2>&1
>
> ./create-sidmap.pl rules >sid-msg.map
> /sbin/service snort restart
> /sbin/service barnyard2 start



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell





More information about the Snort-users mailing list