[Snort-users] Restart snort inline without traffic loss?

Joel Esler jesler at ...1935...
Thu Feb 7 13:31:49 EST 2013


Look into dropsid.conf in pulledpork.  That may help you.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:

> Thanks for all the replies, I am still confused by the rules I am getting
> with pulledpork, every rule is an alert, none are a drop, so if I want snort
> to drop bad traffic what do I do? If I manually change an alert rule to a
> drop rule it will get overwritten on the next download, have I missed
> something?
> 
> Andy
> 
>> -----Original Message-----
>> From: Y M [mailto:snort at ...15979...]
>> Sent: Wednesday, February 06, 2013 10:35 AM
>> To: Andy
>> Cc: snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Restart snort inline without traffic loss?
>> 
>> If Snort is configured with reload option such as --enable-reload, then
>> you can supply the -H argument to pulledpork whenever it is run. This will
>> cause Snort to reload the new signatures processed by pulledpork without
>> having to shutdown the Snort process. However, there are certain limits to
>> what can be reloaded, such as dynamic libraries, output plugins, and other
>> configurations from the snort.conf file.
>> 
>> YM
>> ________________________________
>> 
>> From: Andy <mailto:a_w_smith at ...1396...>
>> Sent: ‎2/‎6/‎2013 1:27 PM
>> To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>> 
>> 
>> Hi,
>> 
>> I am already using pulledpork, how can I use this to help with my issues?
>> 
>> Thanks,
>> Andy.
>> 
>>> -----Original Message-----
>>> From: Heine Lysemose [mailto:lysemose at ...11827...]
>>> Sent: Tuesday, February 05, 2013 9:02 PM
>>> To: Andy
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>>> 
>>> Hi Andy
>>> 
>>> On Feb 5, 2013 9:30 PM, "Andy" <a_w_smith at ...1396...> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I am new to snort, I have it installed on a web server running inline
>>> mode
>>>> with iptables, nfqueue, barnyard2 and snorby.
>>>> 
>>>> I've downloaded the emerging threats rules, firstly all the rules are
>>>> alerts, do I have to convert these to drop if I want to drop the
>>> traffic?
>>>> 
>>> Have a look at Pulledpork,  http://code.google.com/p/pulledpork/, it
>> will
>>> do this for you + a lot of other cool things.
>>>> Assuming I do, how do I restart snort without loosing good traffic,
>>>> currently if I kill the process and restart I lose about 30 seconds of
>>>> traffic while snort restarts, not good on an ecommerce site.
>>>> 
>>>> I also would like a fail safe nfqueue bypass in case things go wrong,
>> at
>>> the
>>>> moment if snort goes down I also get locked out but its on a cron job
>> to
>>>> restart if its down for more than 1 minute.
>>>> 
>>>> I need some advice please..
>>>> 
>>>> Thanks.
>>>> 
>>> 
>>> Regards,
>>> Lysemose
>>>> 
>>>> ----------------------------------------------------------------------
>> --
>>> ------
>>>> Free Next-Gen Firewall Hardware Offer
>>>> Buy your Sophos next-gen firewall before the end March 2013
>>>> and get the hardware for free! Learn more.
>>>> http://p.sf.net/sfu/sophos-d2d-feb
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>> 
>> 
>> 
>> 
>> --------------------------------------------------------------------------
>> ----
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130207/484701bc/attachment.html>


More information about the Snort-users mailing list