[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Thu Feb 7 12:55:09 EST 2013


Thanks for all the replies, I am still confused by the rules I am getting
with pulledpork, every rule is an alert, none are a drop, so if I want snort
to drop bad traffic what do I do? If I manually change an alert rule to a
drop rule it will get overwritten on the next download, have I missed
something?

Andy

> -----Original Message-----
> From: Y M [mailto:snort at ...15979...]
> Sent: Wednesday, February 06, 2013 10:35 AM
> To: Andy
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Restart snort inline without traffic loss?
> 
> If Snort is configured with reload option such as --enable-reload, then
> you can supply the -H argument to pulledpork whenever it is run. This will
> cause Snort to reload the new signatures processed by pulledpork without
> having to shutdown the Snort process. However, there are certain limits to
> what can be reloaded, such as dynamic libraries, output plugins, and other
> configurations from the snort.conf file.
> 
> YM
> ________________________________
> 
> From: Andy <mailto:a_w_smith at ...1396...>
> Sent: ‎2/‎6/‎2013 1:27 PM
> To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> 
> 
> Hi,
> 
> I am already using pulledpork, how can I use this to help with my issues?
> 
> Thanks,
> Andy.
> 
> > -----Original Message-----
> > From: Heine Lysemose [mailto:lysemose at ...11827...]
> > Sent: Tuesday, February 05, 2013 9:02 PM
> > To: Andy
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> >
> > Hi Andy
> >
> > On Feb 5, 2013 9:30 PM, "Andy" <a_w_smith at ...1396...> wrote:
> > >
> > > Hi,
> > >
> > > I am new to snort, I have it installed on a web server running inline
> > mode
> > > with iptables, nfqueue, barnyard2 and snorby.
> > >
> > > I've downloaded the emerging threats rules, firstly all the rules are
> > > alerts, do I have to convert these to drop if I want to drop the
> > traffic?
> > >
> > Have a look at Pulledpork,  http://code.google.com/p/pulledpork/, it
> will
> > do this for you + a lot of other cool things.
> > > Assuming I do, how do I restart snort without loosing good traffic,
> > > currently if I kill the process and restart I lose about 30 seconds of
> > > traffic while snort restarts, not good on an ecommerce site.
> > >
> > > I also would like a fail safe nfqueue bypass in case things go wrong,
> at
> > the
> > > moment if snort goes down I also get locked out but its on a cron job
> to
> > > restart if its down for more than 1 minute.
> > >
> > > I need some advice please..
> > >
> > > Thanks.
> > >
> >
> > Regards,
> > Lysemose
> > >
> > > ----------------------------------------------------------------------
> --
> > ------
> > > Free Next-Gen Firewall Hardware Offer
> > > Buy your Sophos next-gen firewall before the end March 2013
> > > and get the hardware for free! Learn more.
> > > http://p.sf.net/sfu/sophos-d2d-feb
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> 
> 
> 
> --------------------------------------------------------------------------
> ----
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!






More information about the Snort-users mailing list