[Snort-users] Restart snort inline without traffic loss?

waldo kitty wkitty42 at ...14940...
Wed Feb 6 12:43:32 EST 2013


On 2/6/2013 06:19, Mitesh Jadia wrote:
> you can write one restart script.
>
> steps
>
> - remove iptable entries targetting on nf_queue
> - restart snort
> - apply iptable entires targetting on nf_queue

this will still cause the loss of traffic monitoring while snort is down... my 
understanding is that loosing traffic monitoring is what the OP was trying to 
avoid...

> On Wed, Feb 6, 2013 at 1:56 AM, Andy <a_w_smith at ...1396...
> <mailto:a_w_smith at ...1396...>> wrote:
>
>     Hi,
>
>     I am new to snort, I have it installed on a web server running inline mode
>     with iptables, nfqueue, barnyard2 and snorby.
>
>     I've downloaded the emerging threats rules, firstly all the rules are
>     alerts, do I have to convert these to drop if I want to drop the traffic?
>
>     Assuming I do, how do I restart snort without loosing good traffic,
>     currently if I kill the process and restart I lose about 30 seconds of
>     traffic while snort restarts, not good on an ecommerce site.
>
>     I also would like a fail safe nfqueue bypass in case things go wrong, at the
>     moment if snort goes down I also get locked out but its on a cron job to
>     restart if its down for more than 1 minute.
>
>     I need some advice please..
>
>     Thanks.





More information about the Snort-users mailing list