Resetting Snort without reloading everything

[Mike Cox <mike.cox52 () gmail com>]

I'm wanting to run a large number of independent pcaps thru Snort and would
like to be able to "reset" Snort after each run so that, particularly, I
can move off the alert files after each run and link them with the pcap.
Currently I do separate Snort runs for each pcap but this adds unnecessary
overhead and time since the rules, configs, preprocs, etc. have to get
loaded for each run.  I do this because Snort maintains an open file
handle(s) to the alert file(s) and doesn't always immediately flush alerts
to disk so I send a kill signal to Snort and wait until the file handles
are released before processing the alert file(s).

Is there an easy way to reset Snort without having to restart it and reload
all the rules, etc.? Or is there a way to have the engine flush everything
to detection and flush alerts to disk that I could invoke after I know the
pcap has all been sent to Snort?

There appears to be some solutions that are close to what I want but not
quite -- I know you can send a signal (default SIGUSR2) to Snort to rotate
stats and in pcap run mode you can tell Snort to reset after each pcap but
it still logs everything to the same alert file(s).

I don't see an inherent way to have Snort do what I want so my next thought
is to modify the code to do this.  Could someone point me in the right
direction? It seems that this functionality is already there in the code
for the most part (indicated by the fact that you can have Snort reset
between pcaps in pcap run mode) I just need to be able to call it (e.g.
listen for a signal) and make sure that when I reset Snort I am in fact
"doing it right" and not missing anything. I'm hoping that some assistance
regarding the latter will save me some time going thru the code. At this
point I'm mostly concerned about alerts and not so much about engine/perf
stats so forcing flushing to detection and flushing to disk (and
appropriately dealing with the file handle(s)) is my main concern.  Any
help is appreciated.

Thank you.

-Mike Cox

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!