Snort mailing list archives

Re: Restart snort inline without traffic loss?

From: "Andy" <a_w_smith () yahoo co uk>
Date: Thu, 7 Feb 2013 17:55:09 -0000

Thanks for all the replies, I am still confused by the rules I am getting
with pulledpork, every rule is an alert, none are a drop, so if I want snort
to drop bad traffic what do I do? If I manually change an alert rule to a
drop rule it will get overwritten on the next download, have I missed
something?

Andy

-----Original Message-----
From: Y M [mailto:snort () outlook com]
Sent: Wednesday, February 06, 2013 10:35 AM
To: Andy
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Restart snort inline without traffic loss?

If Snort is configured with reload option such as --enable-reload, then
you can supply the -H argument to pulledpork whenever it is run. This will
cause Snort to reload the new signatures processed by pulledpork without
having to shutdown the Snort process. However, there are certain limits to
what can be reloaded, such as dynamic libraries, output plugins, and other
configurations from the snort.conf file.

YM
________________________________

From: Andy <mailto:a_w_smith () yahoo co uk>
Sent: ‎2/‎6/‎2013 1:27 PM
To: 'Heine Lysemose' <mailto:lysemose () gmail com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Hi,

I am already using pulledpork, how can I use this to help with my issues?

Thanks,
Andy.

-----Original Message-----
From: Heine Lysemose [mailto:lysemose () gmail com]
Sent: Tuesday, February 05, 2013 9:02 PM
To: Andy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Hi Andy

On Feb 5, 2013 9:30 PM, "Andy" <a_w_smith () yahoo co uk> wrote:


Hi,

I am new to snort, I have it installed on a web server running inline

mode

with iptables, nfqueue, barnyard2 and snorby.

I've downloaded the emerging threats rules, firstly all the rules are
alerts, do I have to convert these to drop if I want to drop the

traffic?

Have a look at Pulledpork,  http://code.google.com/p/pulledpork/, it

will

do this for you + a lot of other cool things.

Assuming I do, how do I restart snort without loosing good traffic,
currently if I kill the process and restart I lose about 30 seconds of
traffic while snort restarts, not good on an ecommerce site.

I also would like a fail safe nfqueue bypass in case things go wrong,

at

the

moment if snort goes down I also get locked out but its on a cron job

to

restart if its down for more than 1 minute.

I need some advice please..

Thanks.


Regards,
Lysemose


----------------------------------------------------------------------

--

------

Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>


Please visit http://blog.snort.org to stay current on all the latest

Snort news!




--------------------------------------------------------------------------
----
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Restart snort inline without traffic loss? Andy (Feb 05)
- Re: Restart snort inline without traffic loss? Heine Lysemose (Feb 05)
  - Re: Restart snort inline without traffic loss? Andy (Feb 06)
- Re: Restart snort inline without traffic loss? Mitesh Jadia (Feb 06)
  - Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- <Possible follow-ups>
- Re: Restart snort inline without traffic loss? Y M (Feb 06)
  - Re: Restart snort inline without traffic loss? Andy (Feb 07)
    - Re: Restart snort inline without traffic loss? Joel Esler (Feb 07)
    - Re: Restart snort inline without traffic loss? Andy (Feb 08)
    - Re: Restart snort inline without traffic loss? waldo kitty (Feb 07)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
  - Re: Restart snort inline without traffic loss? Andy (Feb 08)
    - Re: Restart snort inline without traffic loss? Joel Esler (Feb 08)
    - Re: Restart snort inline without traffic loss? Jeremy Hoel (Feb 08)
    - Re: Restart snort inline without traffic loss? waldo kitty (Feb 08)
    - Re: Restart snort inline without traffic loss? Andy (Feb 08)
    - Re: Restart snort inline without traffic loss? Y M (Feb 08)