Re: Restart snort inline without traffic loss?

[Y M <snort () outlook com>]

Look at rate filtering (rate_filter) in Snort's manual. I think you would need to look at the rules you have and 
evaluate what is considered risk to your environment and based on that determine your actions strategy.
> From: a_w_smith () yahoo co uk
> To: snort-users () lists sourceforge net
> Date: Fri, 8 Feb 2013 19:32:11 +0000
> Subject: Re: [Snort-users] Restart snort inline without traffic loss?
>
> > On 2/8/2013 11:57, Jeremy Hoel wrote:
> > > Could you use modifiy.sid to do that?
> >
> > not knowing pulledpork, i'm going to guess that this is exactly what i've
> > been
> > trying to point the OP towards...
> >
> > in oinkmaster, i simply include another conf file that contains actual
> > modifysid
> > options along with enablesid and disablesid options ;)
>
>
> Thanks for all the replies, I will have a look at modify.sid
>
> The way I was planning to use snort/snorby was initially to identify the bad
> traffic and hacking etc
>
> Once I had detected something I definitely wanted to drop I would change the
> rule to a drop rule.
>
> After adding the drop rule I didn't want to be notified about the drops
> because it would be more difficult to see new bad (passed) traffic.
>
> If there is a better way to do things I am open to suggestions, I guess I am
> hoping (eventually) to just see a handful of notifications a day that need
> action. I am currently getting around 100-200 notifications per hour.
>
> If snorby identified the traffic as already dropped then I would keep the
> notifications, I don't think it gives an indication of which traffic is
> passed or dropped, but I could well have missed something else...
>
> Advice welcome
>
> Thanks,
> Andy 
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!