[Snort-users] Restart snort inline without traffic loss?
wkitty42 at ...14940...
Wed Feb 6 12:43:32 EST 2013
On 2/6/2013 06:19, Mitesh Jadia wrote:
> you can write one restart script.
> - remove iptable entries targetting on nf_queue
> - restart snort
> - apply iptable entires targetting on nf_queue
this will still cause the loss of traffic monitoring while snort is down... my
understanding is that loosing traffic monitoring is what the OP was trying to
> On Wed, Feb 6, 2013 at 1:56 AM, Andy <a_w_smith at ...1396...
> <mailto:a_w_smith at ...1396...>> wrote:
> I am new to snort, I have it installed on a web server running inline mode
> with iptables, nfqueue, barnyard2 and snorby.
> I've downloaded the emerging threats rules, firstly all the rules are
> alerts, do I have to convert these to drop if I want to drop the traffic?
> Assuming I do, how do I restart snort without loosing good traffic,
> currently if I kill the process and restart I lose about 30 seconds of
> traffic while snort restarts, not good on an ecommerce site.
> I also would like a fail safe nfqueue bypass in case things go wrong, at the
> moment if snort goes down I also get locked out but its on a cron job to
> restart if its down for more than 1 minute.
> I need some advice please..
More information about the Snort-users