[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Wed Feb 6 05:26:35 EST 2013


Hi,

I am already using pulledpork, how can I use this to help with my issues?

Thanks,
Andy.

> -----Original Message-----
> From: Heine Lysemose [mailto:lysemose at ...11827...]
> Sent: Tuesday, February 05, 2013 9:02 PM
> To: Andy
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> 
> Hi Andy
> 
> On Feb 5, 2013 9:30 PM, "Andy" <a_w_smith at ...1396...> wrote:
> >
> > Hi,
> >
> > I am new to snort, I have it installed on a web server running inline
> mode
> > with iptables, nfqueue, barnyard2 and snorby.
> >
> > I've downloaded the emerging threats rules, firstly all the rules are
> > alerts, do I have to convert these to drop if I want to drop the
> traffic?
> >
> Have a look at Pulledpork,  http://code.google.com/p/pulledpork/, it will
> do this for you + a lot of other cool things.
> > Assuming I do, how do I restart snort without loosing good traffic,
> > currently if I kill the process and restart I lose about 30 seconds of
> > traffic while snort restarts, not good on an ecommerce site.
> >
> > I also would like a fail safe nfqueue bypass in case things go wrong, at
> the
> > moment if snort goes down I also get locked out but its on a cron job to
> > restart if its down for more than 1 minute.
> >
> > I need some advice please..
> >
> > Thanks.
> >
> 
> Regards,
> Lysemose
> >
> > ------------------------------------------------------------------------
> ------
> > Free Next-Gen Firewall Hardware Offer
> > Buy your Sophos next-gen firewall before the end March 2013
> > and get the hardware for free! Learn more.
> > http://p.sf.net/sfu/sophos-d2d-feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> 






More information about the Snort-users mailing list