Snort mailing list archives

Re: runtime rule adding

From: Dennis George <easyeinfo () yahoo com>
Date: Mon, 16 Aug 2004 18:44:59 -0700 (PDT)

Thankyou all for your quick answer.......... 
 
This means that adding new rules will result in packet loss... :-(
 
Anyway thanks again
Dennis
 
Matt Kettler <mkettler () evi-inc com> wrote:
At 05:06 AM 8/16/2004, Dennis George wrote:

can anybody tell me that whether I can add a rule while snort is 
running..... so that the rule can be active without restarting the snort.....


No. You can't add rules to a running snort without interrupting it.

The closest you can do is send snort a SIGHUP after adding rules. This 
doesn't cause the process to exit, but does force it to re-initialize. 
However, even this does interrupt snort momentarily. It's faster than 
completely exiting restarting it, but the effect on snort's internal state 
is largely the same..



                
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

Current thread:

runtime rule adding Dennis George (Aug 16)
- Re: runtime rule adding Keith W. McCammon (Aug 16)
- Re: runtime rule adding Matt Kettler (Aug 16)
  - Re: runtime rule adding Dennis George (Aug 16)