[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Fri Feb 8 05:06:48 EST 2013


Thanks, this leads to another question, can I configure dropsid.conf to
change alert to sdrop rather than drop when using pulledpork, I had a google
and didn't much?

Thanks,
Andy

> -----Original Message-----
> From: Y M [mailto:snort at ...15979...]
> Sent: Friday, February 08, 2013 9:36 AM
> To: Andy; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Restart snort inline without traffic loss?
> 
> The drop action will drop the packet AND alert at the same time. If you
> want to completely ignore the alert for drop rules you can use sdrop
> action.
> 
> YM
> ________________________________
> 
> From: Andy <mailto:a_w_smith at ...1396...>
> Sent: ‎2/‎8/‎2013 12:16 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> 
> 
> Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
> said 3 rules had been set as drop, however I am still seeing alerts for =
> the
> drop rules, for example in dropsid.conf I have:-
> 
> #ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
> 1:2010908
> 
> I am still seeing this though:-
> 
> 02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
> (Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
> was
> Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***
> 
> Also seeing the alert in snorby.
> 
> I have also tried restarting everything, do I need something else set to
> block this?
> 
> Thanks,
> Andy
> 
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler at ...1935...]
> > Sent: Thursday, February 07, 2013 6:32 PM
> > To: Andy
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> >
> > Look into dropsid.conf in pulledpork.  That may help you.
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> >
> > On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:
> >
> >
> >        Thanks for all the replies, I am still confused by the rules I am
> > getting
> >        with pulledpork, every rule is an alert, none are a drop, so if I
> > want snort
> >        to drop bad traffic what do I do? If I manually change an alert
> rule
> > to a
> >        drop rule it will get overwritten on the next download, have I
> > missed
> >        something?
> >
> >        Andy
> >
> >
> >
> >                -----Original Message-----
> >                From: Y M [mailto:snort at ...15979...]
> >                Sent: Wednesday, February 06, 2013 10:35 AM
> >                To: Andy
> >                Cc: snort-users at lists.sourceforge.net
> >                Subject: RE: [Snort-users] Restart snort inline without
> > traffic loss?
> >
> >                If Snort is configured with reload option such as --
> enable-
> > reload, then
> >                you can supply the -H argument to pulledpork whenever it
> is
> > run. This will
> >                cause Snort to reload the new signatures processed by
> > pulledpork without
> >                having to shutdown the Snort process. However, there are
> > certain limits to
> >                what can be reloaded, such as dynamic libraries, output
> > plugins, and other
> >                configurations from the snort.conf file.
> >
> >                YM
> >                ________________________________
> >
> >                From: Andy <mailto:a_w_smith at ...1396...>
> >                Sent: ‎2/‎6/‎2013 1:27 PM
> >                To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
> >                Cc: snort-users at lists.sourceforge.net
> >                Subject: Re: [Snort-users] Restart snort inline without
> > traffic loss?
> >
> >
> >                Hi,
> >
> >                I am already using pulledpork, how can I use this to help
> with
> > my issues?
> >
> >                Thanks,
> >                Andy.
> >
> >
> >
> >                        -----Original Message-----
> >                        From: Heine Lysemose [mailto:lysemose at ...14542....]
> >                        Sent: Tuesday, February 05, 2013 9:02 PM
> >                        To: Andy
> >                        Cc: snort-users at lists.sourceforge.net
> >                        Subject: Re: [Snort-users] Restart snort inline
> without
> > traffic loss?
> >
> >                        Hi Andy
> >
> >                        On Feb 5, 2013 9:30 PM, "Andy"
> <a_w_smith at ...1396...>
> > wrote:
> >
> >
> >
> >                                Hi,
> >
> >                                I am new to snort, I have it installed on
> a
> web
> > server running inline
> >
> >
> >                        mode
> >
> >
> >                                with iptables, nfqueue, barnyard2 and
> snorby.
> >
> >                                I've downloaded the emerging threats
> rules,
> > firstly all the rules are
> >                                alerts, do I have to convert these to
> drop
> if I
> > want to drop the
> >
> >
> >                        traffic?
> >
> >
> >
> >                        Have a look at Pulledpork,
> > http://code.google.com/p/pulledpork/, it
> >
> >
> >                will
> >
> >
> >                        do this for you + a lot of other cool things.
> >
> >
> >                                Assuming I do, how do I restart snort
> without
> > loosing good traffic,
> >                                currently if I kill the process and
> restart
> I lose
> > about 30 seconds of
> >                                traffic while snort restarts, not good on
> an
> > ecommerce site.
> >
> >                                I also would like a fail safe nfqueue
> bypass
> in
> > case things go wrong,
> >
> >
> >                at
> >
> >
> >                        the
> >
> >
> >                                moment if snort goes down I also get
> locked
> out
> > but its on a cron job
> >
> >
> >                to
> >
> >
> >                                restart if its down for more than 1
> minute.
> >
> >                                I need some advice please..
> >
> >                                Thanks.
> >
> >
> >
> >
> >                        Regards,
> >                        Lysemose
> >
> >
> >
> >
> --------------------------------------------------
> > --------------------
> >
> >
> >                --
> >
> >
> >                        ------
> >
> >
> >                                Free Next-Gen Firewall Hardware Offer
> >                                Buy your Sophos next-gen firewall before
> the
> end
> > March 2013
> >                                and get the hardware for free! Learn
> more.
> >                                http://p.sf.net/sfu/sophos-d2d-feb
> >
> _______________________________________________
> >                                Snort-users mailing list
> >                                Snort-users at lists.sourceforge.net
> >                                Go to this URL to change user options or
> > unsubscribe:
> >
> >        https://lists.sourceforge.net/lists/listinfo/snort-users
> >                                Snort-users list archive:
> >
> >        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users>
> >
> >
> >
> >        <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> > users>
> >
> >
> >
> >                                Please visit http://blog.snort.org to
> stay
> current
> > on all the latest
> >
> >
> >                        Snort news!
> >
> >
> >
> >
> >
> >
> >
> --------------------------------------------------------------
> > ------------
> >                ----
> >                Free Next-Gen Firewall Hardware Offer
> >                Buy your Sophos next-gen firewall before the end March
> 2013
> >                and get the hardware for free! Learn more.
> >                http://p.sf.net/sfu/sophos-d2d-feb
> >                _______________________________________________
> >                Snort-users mailing list
> >                Snort-users at lists.sourceforge.net
> >                Go to this URL to change user options or unsubscribe:
> >                https://lists.sourceforge.net/lists/listinfo/snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-users>
> >                Snort-users list archive:
> >
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> > users
> >
> >                Please visit http://blog.snort.org to stay current on all
> the
> > latest Snort
> >                news!
> >
> >
> >
> >
> >
> >        -----------------------------------------------------------------
> ---
> > ----------
> >        Free Next-Gen Firewall Hardware Offer
> >        Buy your Sophos next-gen firewall before the end March 2013
> >        and get the hardware for free! Learn more.
> >        http://p.sf.net/sfu/sophos-d2d-feb
> >        _______________________________________________
> >        Snort-users mailing list
> >        Snort-users at lists.sourceforge.net
> >        Go to this URL to change user options or unsubscribe:
> >        https://lists.sourceforge.net/lists/listinfo/snort-users
> >        Snort-users list archive:
> >        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users>
> >
> >        Please visit http://blog.snort.org to stay current on all the
> latest
> > Snort news!
> >
> 
> 
> 
> --------------------------------------------------------------------------
> ----
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!





More information about the Snort-users mailing list