Snort mailing list archives
Re: Reload Snort to use new ruleset
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 28 Jul 2011 13:26:11 -0500
One minor nit. Your script should restart barnyard before restarting snort. Otherwise it is possible to catch an alert that won't be classified because barnyard has not yet reread the sid-msg.map file. Yes, I said it's a nit. --On July 26, 2011 8:44:44 PM +0000 "Castle, Shane" <scastle () bouldercounty org> wrote:
The command "kill -SIGHUP <pid>" has not worked for some time with Snort IIRC (nor pkill, which I had been using before) and the suggested init.d entry for controlling snort does not use it, either, but rather stop and start: restart|reload) $0 stop $0 start I suspect the doc needs updating. Add in using barnyard2 and things get more interesting. Here is my current cron script that uses oinkmaster (no pulledpork suggestions please): # !/bin/bash cd /etc/snort /sbin/service barnyard2 stop ./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C ./oinkmaster.conf >oink.out 2>&1 ./create-sidmap.pl rules >sid-msg.map /sbin/service snort restart /sbin/service barnyard2 start
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Reload Snort to use new ruleset RICHARD METZER (Jul 26)
- Re: Reload Snort to use new ruleset Gibson, Nathan J. (HSC) (Jul 26)
- Re: Reload Snort to use new ruleset Eoin Miller (Jul 26)
- Re: [Spam] Reload Snort to use new ruleset Lay, James (Jul 26)
- Re: Reload Snort to use new ruleset Castle, Shane (Jul 26)
- Re: Reload Snort to use new ruleset Marcos Rodriguez (Jul 26)
- Re: Reload Snort to use new ruleset Lay, James (Jul 26)
- Re: Reload Snort to use new ruleset Joel Esler (Jul 26)
- Re: Reload Snort to use new ruleset Lay, James (Jul 26)
- Re: Reload Snort to use new ruleset Paul Schmehl (Jul 28)
- Re: Reload Snort to use new ruleset Gibson, Nathan J. (HSC) (Jul 26)
- Re: Reload Snort to use new ruleset Agustin Roca (Jul 27)
- <Possible follow-ups>
- Re: Reload Snort to use new ruleset Gregory Zill (Jul 26)