[Snort-users] help add rule while snort is running

waldo kitty wkitty42 at ...14940...
Fri Mar 1 21:34:09 EST 2013


On 3/1/2013 04:08, Prabhudev Avarasang wrote:
> Hello,
> I am using snort 2.9. Is there any way to add rule while running snort.
> Because now i have to restart snort every time i add a rule.

when you add, remove, or delete rules, you always have to restart snort or at 
least cause it to reload its configs and rules IF you have it compiled with that 
option... if you do, you can send a SIGHUP (IIRC) to it... it will consume 
roughly twice as much memory for a time until all of the old connections are 
terminated and it can drop the old config from memory... if you do this reload a 
third time before the first config and rule image is unloaded, then you will be 
seeing three times the memory usage... there is no set time for the older config 
and rules images to be dumped... only when all traffic going thru them is 
complete will they be dumped... then, depending on your OS, the flushing of the 
memory and returning it to general use may take a while...

NOTE: the above is my understanding based on initial experiments performed about 
a year ago... followup testing shows roughly the same since then...




More information about the Snort-users mailing list