Re: Restart snort inline without traffic loss?

[waldo kitty <wkitty42 () windstream net>]

On 2/6/2013 06:19, Mitesh Jadia wrote:
> you can write one restart script.
>
> steps
>
> - remove iptable entries targetting on nf_queue
> - restart snort
> - apply iptable entires targetting on nf_queue

this will still cause the loss of traffic monitoring while snort is down... my 
understanding is that loosing traffic monitoring is what the OP was trying to 
avoid...

> On Wed, Feb 6, 2013 at 1:56 AM, Andy <a_w_smith () yahoo co uk
> <mailto:a_w_smith () yahoo co uk>> wrote:
>
>     Hi,
>
>     I am new to snort, I have it installed on a web server running inline mode
>     with iptables, nfqueue, barnyard2 and snorby.
>
>     I've downloaded the emerging threats rules, firstly all the rules are
>     alerts, do I have to convert these to drop if I want to drop the traffic?
>
>     Assuming I do, how do I restart snort without loosing good traffic,
>     currently if I kill the process and restart I lose about 30 seconds of
>     traffic while snort restarts, not good on an ecommerce site.
>
>     I also would like a fail safe nfqueue bypass in case things go wrong, at the
>     moment if snort goes down I also get locked out but its on a cron job to
>     restart if its down for more than 1 minute.
>
>     I need some advice please..
>
>     Thanks.


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!