[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Fri Feb 8 04:15:51 EST 2013


Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
said 3 rules had been set as drop, however I am still seeing alerts for =
the
drop rules, for example in dropsid.conf I have:-

#ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
1:2010908

I am still seeing this though:-

02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
(Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
was
Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***

Also seeing the alert in snorby.

I have also tried restarting everything, do I need something else set to
block this?

Thanks,
Andy

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 07, 2013 6:32 PM
> To: Andy
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> 
> Look into dropsid.conf in pulledpork.  That may help you.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> 
> On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:
> 
> 
> 	Thanks for all the replies, I am still confused by the rules I am
> getting
> 	with pulledpork, every rule is an alert, none are a drop, so if I
> want snort
> 	to drop bad traffic what do I do? If I manually change an alert rule
> to a
> 	drop rule it will get overwritten on the next download, have I
> missed
> 	something?
> 
> 	Andy
> 
> 
> 
> 		-----Original Message-----
> 		From: Y M [mailto:snort at ...15979...]
> 		Sent: Wednesday, February 06, 2013 10:35 AM
> 		To: Andy
> 		Cc: snort-users at lists.sourceforge.net
> 		Subject: RE: [Snort-users] Restart snort inline without
> traffic loss?
> 
> 		If Snort is configured with reload option such as --enable-
> reload, then
> 		you can supply the -H argument to pulledpork whenever it is
> run. This will
> 		cause Snort to reload the new signatures processed by
> pulledpork without
> 		having to shutdown the Snort process. However, there are
> certain limits to
> 		what can be reloaded, such as dynamic libraries, output
> plugins, and other
> 		configurations from the snort.conf file.
> 
> 		YM
> 		________________________________
> 
> 		From: Andy <mailto:a_w_smith at ...1396...>
> 		Sent: ‎2/‎6/‎2013 1:27 PM
> 		To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
> 		Cc: snort-users at lists.sourceforge.net
> 		Subject: Re: [Snort-users] Restart snort inline without
> traffic loss?
> 
> 
> 		Hi,
> 
> 		I am already using pulledpork, how can I use this to help
with
> my issues?
> 
> 		Thanks,
> 		Andy.
> 
> 
> 
> 			-----Original Message-----
> 			From: Heine Lysemose [mailto:lysemose at ...11827...]
> 			Sent: Tuesday, February 05, 2013 9:02 PM
> 			To: Andy
> 			Cc: snort-users at lists.sourceforge.net
> 			Subject: Re: [Snort-users] Restart snort inline
without
> traffic loss?
> 
> 			Hi Andy
> 
> 			On Feb 5, 2013 9:30 PM, "Andy"
<a_w_smith at ...1396...>
> wrote:
> 
> 
> 
> 				Hi,
> 
> 				I am new to snort, I have it installed on a
web
> server running inline
> 
> 
> 			mode
> 
> 
> 				with iptables, nfqueue, barnyard2 and
snorby.
> 
> 				I've downloaded the emerging threats rules,
> firstly all the rules are
> 				alerts, do I have to convert these to drop
if I
> want to drop the
> 
> 
> 			traffic?
> 
> 
> 
> 			Have a look at Pulledpork,
> http://code.google.com/p/pulledpork/, it
> 
> 
> 		will
> 
> 
> 			do this for you + a lot of other cool things.
> 
> 
> 				Assuming I do, how do I restart snort
without
> loosing good traffic,
> 				currently if I kill the process and restart
I lose
> about 30 seconds of
> 				traffic while snort restarts, not good on an
> ecommerce site.
> 
> 				I also would like a fail safe nfqueue bypass
in
> case things go wrong,
> 
> 
> 		at
> 
> 
> 			the
> 
> 
> 				moment if snort goes down I also get locked
out
> but its on a cron job
> 
> 
> 		to
> 
> 
> 				restart if its down for more than 1 minute.
> 
> 				I need some advice please..
> 
> 				Thanks.
> 
> 
> 
> 
> 			Regards,
> 			Lysemose
> 
> 
> 
>
--------------------------------------------------
> --------------------
> 
> 
> 		--
> 
> 
> 			------
> 
> 
> 				Free Next-Gen Firewall Hardware Offer
> 				Buy your Sophos next-gen firewall before the
end
> March 2013
> 				and get the hardware for free! Learn more.
> 				http://p.sf.net/sfu/sophos-d2d-feb
>
_______________________________________________
> 				Snort-users mailing list
> 				Snort-users at lists.sourceforge.net
> 				Go to this URL to change user options or
> unsubscribe:
> 
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> 				Snort-users list archive:
> 
> 	http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> 
> 
> 	<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users>
> 
> 
> 
> 				Please visit http://blog.snort.org to stay
current
> on all the latest
> 
> 
> 			Snort news!
> 
> 
> 
> 
> 
> 
>
--------------------------------------------------------------
> ------------
> 		----
> 		Free Next-Gen Firewall Hardware Offer
> 		Buy your Sophos next-gen firewall before the end March 2013
> 		and get the hardware for free! Learn more.
> 		http://p.sf.net/sfu/sophos-d2d-feb
> 		_______________________________________________
> 		Snort-users mailing list
> 		Snort-users at lists.sourceforge.net
> 		Go to this URL to change user options or unsubscribe:
> 		https://lists.sourceforge.net/lists/listinfo/snort-users
> 		Snort-users list archive:
>
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> 
> 		Please visit http://blog.snort.org to stay current on all
the
> latest Snort
> 		news!
> 
> 
> 
> 
> 
> 	--------------------------------------------------------------------
> ----------
> 	Free Next-Gen Firewall Hardware Offer
> 	Buy your Sophos next-gen firewall before the end March 2013
> 	and get the hardware for free! Learn more.
> 	http://p.sf.net/sfu/sophos-d2d-feb
> 	_______________________________________________
> 	Snort-users mailing list
> 	Snort-users at lists.sourceforge.net
> 	Go to this URL to change user options or unsubscribe:
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> 	Snort-users list archive:
> 	http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> 	Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> 






More information about the Snort-users mailing list