[Snort-users] Restart snort inline without traffic loss?
wkitty42 at ...14940...
Wed Feb 6 12:41:09 EST 2013
On 2/5/2013 15:26, Andy wrote:
> Assuming I do, how do I restart snort without loosing good traffic,
> currently if I kill the process and restart I lose about 30 seconds of
> traffic while snort restarts, not good on an ecommerce site.
do you have snort compiled with "--enable-reload"?? if yes, then you may be able
to trigger your reload without loosing traffic... with this option, snort will
reload the config and rules into memory and start using them for *new*
connections... /existing/ connections will continue to use the old config and
rules in memory... after those existing connections complete/terminate, snort
will then flush the old config and rules out of memory and all connections will
use the new config and rules...
be warned that this may require a "bit" more memory but it should allow you to
reload without loosing traffic monitoring for that time period...
More information about the Snort-users