[Snort-users] Restart snort inline without traffic loss?

Y M snort at ...15979...
Fri Feb 8 04:36:29 EST 2013


The drop action will drop the packet AND alert at the same time. If you want to completely ignore the alert for drop rules you can use sdrop action.

YM
________________________________
From: Andy<mailto:a_w_smith at ...1396...>
Sent: ‎2/‎8/‎2013 12:16 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
said 3 rules had been set as drop, however I am still seeing alerts for =
the
drop rules, for example in dropsid.conf I have:-

#ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
1:2010908

I am still seeing this though:-

02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
(Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
was
Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***

Also seeing the alert in snorby.

I have also tried restarting everything, do I need something else set to
block this?

Thanks,
Andy

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 07, 2013 6:32 PM
> To: Andy
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>
> Look into dropsid.conf in pulledpork.  That may help you.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:
>
>
>       Thanks for all the replies, I am still confused by the rules I am
> getting
>       with pulledpork, every rule is an alert, none are a drop, so if I
> want snort
>       to drop bad traffic what do I do? If I manually change an alert rule
> to a
>       drop rule it will get overwritten on the next download, have I
> missed
>       something?
>
>       Andy
>
>
>
>               -----Original Message-----
>               From: Y M [mailto:snort at ...15979...]
>               Sent: Wednesday, February 06, 2013 10:35 AM
>               To: Andy
>               Cc: snort-users at lists.sourceforge.net
>               Subject: RE: [Snort-users] Restart snort inline without
> traffic loss?
>
>               If Snort is configured with reload option such as --enable-
> reload, then
>               you can supply the -H argument to pulledpork whenever it is
> run. This will
>               cause Snort to reload the new signatures processed by
> pulledpork without
>               having to shutdown the Snort process. However, there are
> certain limits to
>               what can be reloaded, such as dynamic libraries, output
> plugins, and other
>               configurations from the snort.conf file.
>
>               YM
>               ________________________________
>
>               From: Andy <mailto:a_w_smith at ...1396...>
>               Sent: ‎2/‎6/‎2013 1:27 PM
>               To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
>               Cc: snort-users at lists.sourceforge.net
>               Subject: Re: [Snort-users] Restart snort inline without
> traffic loss?
>
>
>               Hi,
>
>               I am already using pulledpork, how can I use this to help
with
> my issues?
>
>               Thanks,
>               Andy.
>
>
>
>                       -----Original Message-----
>                       From: Heine Lysemose [mailto:lysemose at ...11827...]
>                       Sent: Tuesday, February 05, 2013 9:02 PM
>                       To: Andy
>                       Cc: snort-users at lists.sourceforge.net
>                       Subject: Re: [Snort-users] Restart snort inline
without
> traffic loss?
>
>                       Hi Andy
>
>                       On Feb 5, 2013 9:30 PM, "Andy"
<a_w_smith at ...1396...>
> wrote:
>
>
>
>                               Hi,
>
>                               I am new to snort, I have it installed on a
web
> server running inline
>
>
>                       mode
>
>
>                               with iptables, nfqueue, barnyard2 and
snorby.
>
>                               I've downloaded the emerging threats rules,
> firstly all the rules are
>                               alerts, do I have to convert these to drop
if I
> want to drop the
>
>
>                       traffic?
>
>
>
>                       Have a look at Pulledpork,
> http://code.google.com/p/pulledpork/, it
>
>
>               will
>
>
>                       do this for you + a lot of other cool things.
>
>
>                               Assuming I do, how do I restart snort
without
> loosing good traffic,
>                               currently if I kill the process and restart
I lose
> about 30 seconds of
>                               traffic while snort restarts, not good on an
> ecommerce site.
>
>                               I also would like a fail safe nfqueue bypass
in
> case things go wrong,
>
>
>               at
>
>
>                       the
>
>
>                               moment if snort goes down I also get locked
out
> but its on a cron job
>
>
>               to
>
>
>                               restart if its down for more than 1 minute.
>
>                               I need some advice please..
>
>                               Thanks.
>
>
>
>
>                       Regards,
>                       Lysemose
>
>
>
>
--------------------------------------------------
> --------------------
>
>
>               --
>
>
>                       ------
>
>
>                               Free Next-Gen Firewall Hardware Offer
>                               Buy your Sophos next-gen firewall before the
end
> March 2013
>                               and get the hardware for free! Learn more.
>                               http://p.sf.net/sfu/sophos-d2d-feb
>
_______________________________________________
>                               Snort-users mailing list
>                               Snort-users at lists.sourceforge.net
>                               Go to this URL to change user options or
> unsubscribe:
>
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>                               Snort-users list archive:
>
>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
>
>       <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users>
>
>
>
>                               Please visit http://blog.snort.org to stay
current
> on all the latest
>
>
>                       Snort news!
>
>
>
>
>
>
>
--------------------------------------------------------------
> ------------
>               ----
>               Free Next-Gen Firewall Hardware Offer
>               Buy your Sophos next-gen firewall before the end March 2013
>               and get the hardware for free! Learn more.
>               http://p.sf.net/sfu/sophos-d2d-feb
>               _______________________________________________
>               Snort-users mailing list
>               Snort-users at lists.sourceforge.net
>               Go to this URL to change user options or unsubscribe:
>               https://lists.sourceforge.net/lists/listinfo/snort-users
>               Snort-users list archive:
>
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
>
>               Please visit http://blog.snort.org to stay current on all
the
> latest Snort
>               news!
>
>
>
>
>
>       --------------------------------------------------------------------
> ----------
>       Free Next-Gen Firewall Hardware Offer
>       Buy your Sophos next-gen firewall before the end March 2013
>       and get the hardware for free! Learn more.
>       http://p.sf.net/sfu/sophos-d2d-feb
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users at lists.sourceforge.net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>       Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130208/22170799/attachment.html>


More information about the Snort-users mailing list