[Snort-users] help add rule while snort is running
wkitty42 at ...14940...
Fri Mar 1 21:34:09 EST 2013
On 3/1/2013 04:08, Prabhudev Avarasang wrote:
> I am using snort 2.9. Is there any way to add rule while running snort.
> Because now i have to restart snort every time i add a rule.
when you add, remove, or delete rules, you always have to restart snort or at
least cause it to reload its configs and rules IF you have it compiled with that
option... if you do, you can send a SIGHUP (IIRC) to it... it will consume
roughly twice as much memory for a time until all of the old connections are
terminated and it can drop the old config from memory... if you do this reload a
third time before the first config and rule image is unloaded, then you will be
seeing three times the memory usage... there is no set time for the older config
and rules images to be dumped... only when all traffic going thru them is
complete will they be dumped... then, depending on your OS, the flushing of the
memory and returning it to general use may take a while...
NOTE: the above is my understanding based on initial experiments performed about
a year ago... followup testing shows roughly the same since then...
More information about the Snort-users