[Snort-users] Restart snort inline without traffic loss?

Jeremy Hoel jthoel at ...11827...
Fri Feb 8 11:57:12 EST 2013


Could you use modifiy.sid to do that?

On Fri, Feb 8, 2013 at 10:06 AM, Andy <a_w_smith at ...1396...> wrote:
> Thanks, this leads to another question, can I configure dropsid.conf to
> change alert to sdrop rather than drop when using pulledpork, I had a google
> and didn't much?
>
> Thanks,
> Andy
>
>> -----Original Message-----
>> From: Y M [mailto:snort at ...15979...]
>> Sent: Friday, February 08, 2013 9:36 AM
>> To: Andy; snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Restart snort inline without traffic loss?
>>
>> The drop action will drop the packet AND alert at the same time. If you
>> want to completely ignore the alert for drop rules you can use sdrop
>> action.
>>
>> YM
>> ________________________________
>>
>> From: Andy <mailto:a_w_smith at ...1396...>
>> Sent: 2/8/2013 12:16 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>>
>>
>> Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
>> said 3 rules had been set as drop, however I am still seeing alerts for =
>> the
>> drop rules, for example in dropsid.conf I have:-
>>
>> #ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
>> 1:2010908
>>
>> I am still seeing this though:-
>>
>> 02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
>> (Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
>> was
>> Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***
>>
>> Also seeing the alert in snorby.
>>
>> I have also tried restarting everything, do I need something else set to
>> block this?
>>
>> Thanks,
>> Andy
>>
>> > -----Original Message-----
>> > From: Joel Esler [mailto:jesler at ...1935...]
>> > Sent: Thursday, February 07, 2013 6:32 PM
>> > To: Andy
>> > Cc: snort-users at lists.sourceforge.net
>> > Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>> >
>> > Look into dropsid.conf in pulledpork.  That may help you.
>> >
>> > --
>> > Joel Esler
>> > Senior Research Engineer, VRT
>> > OpenSource Community Manager
>> > Sourcefire
>> >
>> >
>> > On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith at ...1396...> wrote:
>> >
>> >
>> >        Thanks for all the replies, I am still confused by the rules I am
>> > getting
>> >        with pulledpork, every rule is an alert, none are a drop, so if I
>> > want snort
>> >        to drop bad traffic what do I do? If I manually change an alert
>> rule
>> > to a
>> >        drop rule it will get overwritten on the next download, have I
>> > missed
>> >        something?
>> >
>> >        Andy
>> >
>> >
>> >
>> >                -----Original Message-----
>> >                From: Y M [mailto:snort at ...15979...]
>> >                Sent: Wednesday, February 06, 2013 10:35 AM
>> >                To: Andy
>> >                Cc: snort-users at lists.sourceforge.net
>> >                Subject: RE: [Snort-users] Restart snort inline without
>> > traffic loss?
>> >
>> >                If Snort is configured with reload option such as --
>> enable-
>> > reload, then
>> >                you can supply the -H argument to pulledpork whenever it
>> is
>> > run. This will
>> >                cause Snort to reload the new signatures processed by
>> > pulledpork without
>> >                having to shutdown the Snort process. However, there are
>> > certain limits to
>> >                what can be reloaded, such as dynamic libraries, output
>> > plugins, and other
>> >                configurations from the snort.conf file.
>> >
>> >                YM
>> >                ________________________________
>> >
>> >                From: Andy <mailto:a_w_smith at ...1396...>
>> >                Sent: 2/6/2013 1:27 PM
>> >                To: 'Heine Lysemose' <mailto:lysemose at ...11827...>
>> >                Cc: snort-users at lists.sourceforge.net
>> >                Subject: Re: [Snort-users] Restart snort inline without
>> > traffic loss?
>> >
>> >
>> >                Hi,
>> >
>> >                I am already using pulledpork, how can I use this to help
>> with
>> > my issues?
>> >
>> >                Thanks,
>> >                Andy.
>> >
>> >
>> >
>> >                        -----Original Message-----
>> >                        From: Heine Lysemose [mailto:lysemose at ...11827...]
>> >                        Sent: Tuesday, February 05, 2013 9:02 PM
>> >                        To: Andy
>> >                        Cc: snort-users at lists.sourceforge.net
>> >                        Subject: Re: [Snort-users] Restart snort inline
>> without
>> > traffic loss?
>> >
>> >                        Hi Andy
>> >
>> >                        On Feb 5, 2013 9:30 PM, "Andy"
>> <a_w_smith at ...1396...>
>> > wrote:
>> >
>> >
>> >
>> >                                Hi,
>> >
>> >                                I am new to snort, I have it installed on
>> a
>> web
>> > server running inline
>> >
>> >
>> >                        mode
>> >
>> >
>> >                                with iptables, nfqueue, barnyard2 and
>> snorby.
>> >
>> >                                I've downloaded the emerging threats
>> rules,
>> > firstly all the rules are
>> >                                alerts, do I have to convert these to
>> drop
>> if I
>> > want to drop the
>> >
>> >
>> >                        traffic?
>> >
>> >
>> >
>> >                        Have a look at Pulledpork,
>> > http://code.google.com/p/pulledpork/, it
>> >
>> >
>> >                will
>> >
>> >
>> >                        do this for you + a lot of other cool things.
>> >
>> >
>> >                                Assuming I do, how do I restart snort
>> without
>> > loosing good traffic,
>> >                                currently if I kill the process and
>> restart
>> I lose
>> > about 30 seconds of
>> >                                traffic while snort restarts, not good on
>> an
>> > ecommerce site.
>> >
>> >                                I also would like a fail safe nfqueue
>> bypass
>> in
>> > case things go wrong,
>> >
>> >
>> >                at
>> >
>> >
>> >                        the
>> >
>> >
>> >                                moment if snort goes down I also get
>> locked
>> out
>> > but its on a cron job
>> >
>> >
>> >                to
>> >
>> >
>> >                                restart if its down for more than 1
>> minute.
>> >
>> >                                I need some advice please..
>> >
>> >                                Thanks.
>> >
>> >
>> >
>> >
>> >                        Regards,
>> >                        Lysemose
>> >
>> >
>> >
>> >
>> --------------------------------------------------
>> > --------------------
>> >
>> >
>> >                --
>> >
>> >
>> >                        ------
>> >
>> >
>> >                                Free Next-Gen Firewall Hardware Offer
>> >                                Buy your Sophos next-gen firewall before
>> the
>> end
>> > March 2013
>> >                                and get the hardware for free! Learn
>> more.
>> >                                http://p.sf.net/sfu/sophos-d2d-feb
>> >
>> _______________________________________________
>> >                                Snort-users mailing list
>> >                                Snort-users at lists.sourceforge.net
>> >                                Go to this URL to change user options or
>> > unsubscribe:
>> >
>> >        https://lists.sourceforge.net/lists/listinfo/snort-users
>> >                                Snort-users list archive:
>> >
>> >        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users>
>> >
>> >
>> >
>> >        <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> > users>
>> >
>> >
>> >
>> >                                Please visit http://blog.snort.org to
>> stay
>> current
>> > on all the latest
>> >
>> >
>> >                        Snort news!
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> --------------------------------------------------------------
>> > ------------
>> >                ----
>> >                Free Next-Gen Firewall Hardware Offer
>> >                Buy your Sophos next-gen firewall before the end March
>> 2013
>> >                and get the hardware for free! Learn more.
>> >                http://p.sf.net/sfu/sophos-d2d-feb
>> >                _______________________________________________
>> >                Snort-users mailing list
>> >                Snort-users at lists.sourceforge.net
>> >                Go to this URL to change user options or unsubscribe:
>> >                https://lists.sourceforge.net/lists/listinfo/snort-users
>> <https://lists.sourceforge.net/lists/listinfo/snort-users>
>> >                Snort-users list archive:
>> >
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> > users
>> >
>> >                Please visit http://blog.snort.org to stay current on all
>> the
>> > latest Snort
>> >                news!
>> >
>> >
>> >
>> >
>> >
>> >        -----------------------------------------------------------------
>> ---
>> > ----------
>> >        Free Next-Gen Firewall Hardware Offer
>> >        Buy your Sophos next-gen firewall before the end March 2013
>> >        and get the hardware for free! Learn more.
>> >        http://p.sf.net/sfu/sophos-d2d-feb
>> >        _______________________________________________
>> >        Snort-users mailing list
>> >        Snort-users at lists.sourceforge.net
>> >        Go to this URL to change user options or unsubscribe:
>> >        https://lists.sourceforge.net/lists/listinfo/snort-users
>> >        Snort-users list archive:
>> >        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users>
>> >
>> >        Please visit http://blog.snort.org to stay current on all the
>> latest
>> > Snort news!
>> >
>>
>>
>>
>> --------------------------------------------------------------------------
>> ----
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list