[Snort-users] Restart snort inline without traffic loss?

waldo kitty wkitty42 at ...14940...
Wed Feb 6 12:41:09 EST 2013


On 2/5/2013 15:26, Andy wrote:
> Assuming I do, how do I restart snort without loosing good traffic,
> currently if I kill the process and restart I lose about 30 seconds of
> traffic while snort restarts, not good on an ecommerce site.

do you have snort compiled with "--enable-reload"?? if yes, then you may be able 
to trigger your reload without loosing traffic... with this option, snort will 
reload the config and rules into memory and start using them for *new* 
connections... /existing/ connections will continue to use the old config and 
rules in memory... after those existing connections complete/terminate, snort 
will then flush the old config and rules out of memory and all connections will 
use the new config and rules...

be warned that this may require a "bit" more memory but it should allow you to 
reload without loosing traffic monitoring for that time period...




More information about the Snort-users mailing list