[Snort-users] Restart snort inline without traffic loss?
a_w_smith at ...1396...
Tue Feb 5 15:26:59 EST 2013
I am new to snort, I have it installed on a web server running inline mode
with iptables, nfqueue, barnyard2 and snorby.
I've downloaded the emerging threats rules, firstly all the rules are
alerts, do I have to convert these to drop if I want to drop the traffic?
Assuming I do, how do I restart snort without loosing good traffic,
currently if I kill the process and restart I lose about 30 seconds of
traffic while snort restarts, not good on an ecommerce site.
I also would like a fail safe nfqueue bypass in case things go wrong, at the
moment if snort goes down I also get locked out but its on a cron job to
restart if its down for more than 1 minute.
I need some advice please..
More information about the Snort-users