[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Tue Feb 5 15:26:59 EST 2013


Hi,

I am new to snort, I have it installed on a web server running inline mode
with iptables, nfqueue, barnyard2 and snorby.

I've downloaded the emerging threats rules, firstly all the rules are
alerts, do I have to convert these to drop if I want to drop the traffic?

Assuming I do, how do I restart snort without loosing good traffic,
currently if I kill the process and restart I lose about 30 seconds of
traffic while snort restarts, not good on an ecommerce site.

I also would like a fail safe nfqueue bypass in case things go wrong, at the
moment if snort goes down I also get locked out but its on a cron job to
restart if its down for more than 1 minute.

I need some advice please..

Thanks.





More information about the Snort-users mailing list