Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Restart snort inline without traffic loss?

From: "Andy" <a_w_smith () yahoo co uk>
Date: Fri, 8 Feb 2013 10:06:48 -0000
Thanks, this leads to another question, can I configure dropsid.conf to
change alert to sdrop rather than drop when using pulledpork, I had a google
and didn't much?

Thanks,
Andy


-----Original Message-----
From: Y M [mailto:snort () outlook com]
Sent: Friday, February 08, 2013 9:36 AM
To: Andy; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Restart snort inline without traffic loss?

The drop action will drop the packet AND alert at the same time. If you
want to completely ignore the alert for drop rules you can use sdrop
action.

YM
________________________________

From: Andy <mailto:a_w_smith () yahoo co uk>
Sent: ‎2/‎8/‎2013 12:16 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline without traffic loss?


Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
said 3 rules had been set as drop, however I am still seeing alerts for =
the
drop rules, for example in dropsid.conf I have:-

#ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
1:2010908

I am still seeing this though:-

02/08-08:57:28.629171  [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
(Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
was
Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***

Also seeing the alert in snorby.

I have also tried restarting everything, do I need something else set to
block this?

Thanks,
Andy


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Thursday, February 07, 2013 6:32 PM
To: Andy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline without traffic loss?

Look into dropsid.conf in pulledpork.  That may help you.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith () yahoo co uk> wrote:


       Thanks for all the replies, I am still confused by the rules I am
getting
       with pulledpork, every rule is an alert, none are a drop, so if I
want snort
       to drop bad traffic what do I do? If I manually change an alert

rule

to a
       drop rule it will get overwritten on the next download, have I
missed
       something?

       Andy



               -----Original Message-----
               From: Y M [mailto:snort () outlook com]
               Sent: Wednesday, February 06, 2013 10:35 AM
               To: Andy
               Cc: snort-users () lists sourceforge net
               Subject: RE: [Snort-users] Restart snort inline without
traffic loss?

               If Snort is configured with reload option such as --

enable-

reload, then
               you can supply the -H argument to pulledpork whenever it

is

run. This will
               cause Snort to reload the new signatures processed by
pulledpork without
               having to shutdown the Snort process. However, there are
certain limits to
               what can be reloaded, such as dynamic libraries, output
plugins, and other
               configurations from the snort.conf file.

               YM
               ________________________________

               From: Andy <mailto:a_w_smith () yahoo co uk>
               Sent: ‎2/‎6/‎2013 1:27 PM
               To: 'Heine Lysemose' <mailto:lysemose () gmail com>
               Cc: snort-users () lists sourceforge net
               Subject: Re: [Snort-users] Restart snort inline without
traffic loss?


               Hi,

               I am already using pulledpork, how can I use this to help

with

my issues?

               Thanks,
               Andy.



                       -----Original Message-----
                       From: Heine Lysemose [mailto:lysemose () gmail com]
                       Sent: Tuesday, February 05, 2013 9:02 PM
                       To: Andy
                       Cc: snort-users () lists sourceforge net
                       Subject: Re: [Snort-users] Restart snort inline

without

traffic loss?

                       Hi Andy

                       On Feb 5, 2013 9:30 PM, "Andy"

<a_w_smith () yahoo co uk>

wrote:



                               Hi,

                               I am new to snort, I have it installed on

a
web

server running inline


                       mode


                               with iptables, nfqueue, barnyard2 and

snorby.


                               I've downloaded the emerging threats

rules,

firstly all the rules are
                               alerts, do I have to convert these to

drop
if I

want to drop the


                       traffic?



                       Have a look at Pulledpork,
http://code.google.com/p/pulledpork/, it


               will


                       do this for you + a lot of other cool things.


                               Assuming I do, how do I restart snort

without

loosing good traffic,
                               currently if I kill the process and

restart
I lose

about 30 seconds of
                               traffic while snort restarts, not good on

an

ecommerce site.

                               I also would like a fail safe nfqueue

bypass
in

case things go wrong,


               at


                       the


                               moment if snort goes down I also get

locked
out

but its on a cron job


               to


                               restart if its down for more than 1

minute.


                               I need some advice please..

                               Thanks.




                       Regards,
                       Lysemose





--------------------------------------------------

--------------------


               --


                       ------


                               Free Next-Gen Firewall Hardware Offer
                               Buy your Sophos next-gen firewall before

the
end

March 2013
                               and get the hardware for free! Learn

more.

                               http://p.sf.net/sfu/sophos-d2d-feb


_______________________________________________

                               Snort-users mailing list
                               Snort-users () lists sourceforge net
                               Go to this URL to change user options or
unsubscribe:

       https://lists.sourceforge.net/lists/listinfo/snort-users
                               Snort-users list archive:

       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-

users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
users>




       <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
users>



                               Please visit http://blog.snort.org to

stay
current

on all the latest


                       Snort news!








--------------------------------------------------------------

------------
               ----
               Free Next-Gen Firewall Hardware Offer
               Buy your Sophos next-gen firewall before the end March

2013

               and get the hardware for free! Learn more.
               http://p.sf.net/sfu/sophos-d2d-feb
               _______________________________________________
               Snort-users mailing list
               Snort-users () lists sourceforge net
               Go to this URL to change user options or unsubscribe:
               https://lists.sourceforge.net/lists/listinfo/snort-users

<https://lists.sourceforge.net/lists/listinfo/snort-users>

               Snort-users list archive:


http://sourceforge.net/mailarchive/forum.php?forum_name=snort-

users

               Please visit http://blog.snort.org to stay current on all

the

latest Snort
               news!





       -----------------------------------------------------------------

---

----------
       Free Next-Gen Firewall Hardware Offer
       Buy your Sophos next-gen firewall before the end March 2013
       and get the hardware for free! Learn more.
       http://p.sf.net/sfu/sophos-d2d-feb
       _______________________________________________
       Snort-users mailing list
       Snort-users () lists sourceforge net
       Go to this URL to change user options or unsubscribe:
       https://lists.sourceforge.net/lists/listinfo/snort-users
       Snort-users list archive:
       http://sourceforge.net/mailarchive/forum.php?forum_name=snort-

users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
users>


       Please visit http://blog.snort.org to stay current on all the

latest

Snort news!





--------------------------------------------------------------------------
----
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: