[Snort-users] Restart snort inline without traffic loss?

Joel Esler jesler at ...1935...
Fri Feb 8 10:07:42 EST 2013


I don't think that option is available.  I don't know why you'd want to drop something and not know what dropped it.  IMHO.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 8, 2013, at 5:06 AM, Andy <a_w_smith at ...1396...> wrote:

> Thanks, this leads to another question, can I configure dropsid.conf to
> change alert to sdrop rather than drop when using pulledpork, I had a google
> and didn't much?
> 
> Thanks,
> Andy
> 
>> -----Original Message-----
>> From: Y M [mailto:snort at ...15979...]
>> Sent: Friday, February 08, 2013 9:36 AM
>> To: Andy; snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Restart snort inline without traffic loss?
>> 
>> The drop action will drop the packet AND alert at the same time. If you
>> want to completely ignore the alert for drop rules you can use sdrop
>> action.
>> 
>> YM
>> ________________________________
>> 
>> From: Andy <mailto:a_w_smith at ...1396...>
>> Sent: ‎2/‎8/‎2013 12:16 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>> 
>> 
>> Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
>> said 3 rules had been set as drop, however I am still seeing alerts for =
>> the
>> drop rules, for example in dropsid.conf I have:-
>> 
>> #ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
>> 1:2010908
>> 
>> I am still seeing this though:-
>> 
>> 02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
>> (Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
>> was
>> Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***
>> 
>> Also seeing the alert in snorby.
>> 
>> I have also tried restarting everything, do I need something else set to
>> block this?
>> 
>> Thanks,
>> Andy
>> 
>>> -----Original Message-----
>>> From: Joel Esler [mailto:jesler at ...1935...]
>>> Sent: Thursday, February 07, 2013 6:32 PM
>>> To: Andy
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>>> 
>>> Look into dropsid.conf in pulledpork.  That may help you.
>>> 
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>> 
>>> 
>>> On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:
>>> 
>>> 
>>>       Thanks for all the replies, I am still confused by the rules I am
>>> getting
>>>       with pulledpork, every rule is an alert, none are a drop, so if I
>>> want snort
>>>       to drop bad traffic what do I do? If I manually change an alert
>> rule
>>> to a
>>>       drop rule it will get overwritten on the next download, have I
>>> missed
>>>       something?
>>> 
>>>       Andy
>>> 
>>> 
>>> 
>>>               -----Original Message-----
>>>               From: Y M [mailto:snort at ...15979...]
>>>               Sent: Wednesday, February 06, 2013 10:35 AM
>>>               To: Andy
>>>               Cc: snort-users at lists.sourceforge.net
>>>               Subject: RE: [Snort-users] Restart snort inline without
>>> traffic loss?
>>> 
>>>               If Snort is configured with reload option such as --
>> enable-
>>> reload, then
>>>               you can supply the -H argument to pulledpork whenever it
>> is
>>> run. This will
>>>               cause Snort to reload the new signatures processed by
>>> pulledpork without
>>>               having to shutdown the Snort process. However, there are
>>> certain limits to
>>>               what can be reloaded, such as dynamic libraries, output
>>> plugins, and other
>>>               configurations from the snort.conf file.
>>> 
>>>               YM
>>>               ________________________________
>>> 
>>>               From: Andy <mailto:a_w_smith at ...1396...>
>>>               Sent: ‎2/‎6/‎2013 1:27 PM
>>>               To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
>>>               Cc: snort-users at lists.sourceforge.net
>>>               Subject: Re: [Snort-users] Restart snort inline without
>>> traffic loss?
>>> 
>>> 
>>>               Hi,
>>> 
>>>               I am already using pulledpork, how can I use this to help
>> with
>>> my issues?
>>> 
>>>               Thanks,
>>>               Andy.
>>> 
>>> 
>>> 
>>>                       -----Original Message-----
>>>                       From: Heine Lysemose [mailto:lysemose at ...11827...]
>>>                       Sent: Tuesday, February 05, 2013 9:02 PM
>>>                       To: Andy
>>>                       Cc: snort-users at lists.sourceforge.net
>>>                       Subject: Re: [Snort-users] Restart snort inline
>> without
>>> traffic loss?
>>> 
>>>                       Hi Andy
>>> 
>>>                       On Feb 5, 2013 9:30 PM, "Andy"
>> <a_w_smith at ...1396...>
>>> wrote:
>>> 
>>> 
>>> 
>>>                               Hi,
>>> 
>>>                               I am new to snort, I have it installed on
>> a
>> web
>>> server running inline
>>> 
>>> 
>>>                       mode
>>> 
>>> 
>>>                               with iptables, nfqueue, barnyard2 and
>> snorby.
>>> 
>>>                               I've downloaded the emerging threats
>> rules,
>>> firstly all the rules are
>>>                               alerts, do I have to convert these to
>> drop
>> if I
>>> want to drop the
>>> 
>>> 
>>>                       traffic?
>>> 
>>> 
>>> 
>>>                       Have a look at Pulledpork,
>>> http://code.google.com/p/pulledpork/, it
>>> 
>>> 
>>>               will
>>> 
>>> 
>>>                       do this for you + a lot of other cool things.
>>> 
>>> 
>>>                               Assuming I do, how do I restart snort
>> without
>>> loosing good traffic,
>>>                               currently if I kill the process and
>> restart
>> I lose
>>> about 30 seconds of
>>>                               traffic while snort restarts, not good on
>> an
>>> ecommerce site.
>>> 
>>>                               I also would like a fail safe nfqueue
>> bypass
>> in
>>> case things go wrong,
>>> 
>>> 
>>>               at
>>> 
>>> 
>>>                       the
>>> 
>>> 
>>>                               moment if snort goes down I also get
>> locked
>> out
>>> but its on a cron job
>>> 
>>> 
>>>               to
>>> 
>>> 
>>>                               restart if its down for more than 1
>> minute.
>>> 
>>>                               I need some advice please..
>>> 
>>>                               Thanks.
>>> 
>>> 
>>> 
>>> 
>>>                       Regards,
>>>                       Lysemose
>>> 
>>> 
>>> 
>>> 
>> --------------------------------------------------
>>> --------------------
>>> 
>>> 
>>>               --
>>> 
>>> 
>>>                       ------
>>> 
>>> 
>>>                               Free Next-Gen Firewall Hardware Offer
>>>                               Buy your Sophos next-gen firewall before
>> the
>> end
>>> March 2013
>>>                               and get the hardware for free! Learn
>> more.
>>>                               http://p.sf.net/sfu/sophos-d2d-feb
>>> 
>> _______________________________________________
>>>                               Snort-users mailing list
>>>                               Snort-users at lists.sourceforge.net
>>>                               Go to this URL to change user options or
>>> unsubscribe:
>>> 
>>>       https://lists.sourceforge.net/lists/listinfo/snort-users
>>>                               Snort-users list archive:
>>> 
>>>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users>
>>> 
>>> 
>>> 
>>>       <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>> users>
>>> 
>>> 
>>> 
>>>                               Please visit http://blog.snort.org to
>> stay
>> current
>>> on all the latest
>>> 
>>> 
>>>                       Snort news!
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> --------------------------------------------------------------
>>> ------------
>>>               ----
>>>               Free Next-Gen Firewall Hardware Offer
>>>               Buy your Sophos next-gen firewall before the end March
>> 2013
>>>               and get the hardware for free! Learn more.
>>>               http://p.sf.net/sfu/sophos-d2d-feb
>>>               _______________________________________________
>>>               Snort-users mailing list
>>>               Snort-users at lists.sourceforge.net
>>>               Go to this URL to change user options or unsubscribe:
>>>               https://lists.sourceforge.net/lists/listinfo/snort-users
>> <https://lists.sourceforge.net/lists/listinfo/snort-users>
>>>               Snort-users list archive:
>>> 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>> users
>>> 
>>>               Please visit http://blog.snort.org to stay current on all
>> the
>>> latest Snort
>>>               news!
>>> 
>>> 
>>> 
>>> 
>>> 
>>>       -----------------------------------------------------------------
>> ---
>>> ----------
>>>       Free Next-Gen Firewall Hardware Offer
>>>       Buy your Sophos next-gen firewall before the end March 2013
>>>       and get the hardware for free! Learn more.
>>>       http://p.sf.net/sfu/sophos-d2d-feb
>>>       _______________________________________________
>>>       Snort-users mailing list
>>>       Snort-users at lists.sourceforge.net
>>>       Go to this URL to change user options or unsubscribe:
>>>       https://lists.sourceforge.net/lists/listinfo/snort-users
>>>       Snort-users list archive:
>>>       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users>
>>> 
>>>       Please visit http://blog.snort.org to stay current on all the
>> latest
>>> Snort news!
>>> 
>> 
>> 
>> 
>> --------------------------------------------------------------------------
>> ----
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130208/95d8d765/attachment.html>


More information about the Snort-users mailing list