[Snort-users] Restart snort inline without traffic loss?

Y M snort at ...15979...
Fri Feb 8 14:50:57 EST 2013


Look at rate filtering (rate_filter) in Snort's manual. I think you would need to look at the rules you have and evaluate what is considered risk to your environment and based on that determine your actions strategy.
 > From: a_w_smith at ...1396...
> To: snort-users at lists.sourceforge.net
> Date: Fri, 8 Feb 2013 19:32:11 +0000
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
> 
> > On 2/8/2013 11:57, Jeremy Hoel wrote:
> > > Could you use modifiy.sid to do that?
> > 
> > not knowing pulledpork, i'm going to guess that this is exactly what i've
> > been
> > trying to point the OP towards...
> > 
> > in oinkmaster, i simply include another conf file that contains actual
> > modifysid
> > options along with enablesid and disablesid options ;)
> 
> 
> Thanks for all the replies, I will have a look at modify.sid
> 
> The way I was planning to use snort/snorby was initially to identify the bad
> traffic and hacking etc
> 
> Once I had detected something I definitely wanted to drop I would change the
> rule to a drop rule.
> 
> After adding the drop rule I didn't want to be notified about the drops
> because it would be more difficult to see new bad (passed) traffic.
> 
> If there is a better way to do things I am open to suggestions, I guess I am
> hoping (eventually) to just see a handful of notifications a day that need
> action. I am currently getting around 100-200 notifications per hour.
> 
> If snorby identified the traffic as already dropped then I would keep the
> notifications, I don't think it gives an indication of which traffic is
> passed or dropped, but I could well have missed something else...
> 
> Advice welcome
> 
> Thanks,
> Andy 
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130208/c1d911da/attachment.html>


More information about the Snort-users mailing list