[Snort-users] Restart snort inline without traffic loss?

Andy a_w_smith at ...1396...
Fri Feb 8 14:32:11 EST 2013

> On 2/8/2013 11:57, Jeremy Hoel wrote:
> > Could you use modifiy.sid to do that?
> not knowing pulledpork, i'm going to guess that this is exactly what i've
> been
> trying to point the OP towards...
> in oinkmaster, i simply include another conf file that contains actual
> modifysid
> options along with enablesid and disablesid options ;)

Thanks for all the replies, I will have a look at modify.sid

The way I was planning to use snort/snorby was initially to identify the bad
traffic and hacking etc

Once I had detected something I definitely wanted to drop I would change the
rule to a drop rule.

After adding the drop rule I didn't want to be notified about the drops
because it would be more difficult to see new bad (passed) traffic.

If there is a better way to do things I am open to suggestions, I guess I am
hoping (eventually) to just see a handful of notifications a day that need
action. I am currently getting around 100-200 notifications per hour.

If snorby identified the traffic as already dropped then I would keep the
notifications, I don't think it gives an indication of which traffic is
passed or dropped, but I could well have missed something else...

Advice welcome


More information about the Snort-users mailing list