Snort mailing list archives
Re: snort inline mode and bridge
From: Y M <snort () outlook com>
Date: Tue, 1 Nov 2016 19:10:57 +0000
Yes it does. YM On Tue, Nov 1, 2016 at 10:09 PM +0300, "Vincent Li" <vincent.mc.li () gmail com<mailto:vincent.mc.li () gmail com>> wrote: yep, that is one of the thing that I considered initially and didn't use reload, does pulledpork update shared object rules ? On Tue, Nov 1, 2016 at 11:48 AM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Keep in mind that updating shared object rules require restarting Snort. If shared object rules are updated and then snort is reloaded you will see error/warning messages while Snort is running. Just something to keep in mind if you observe the messages. YM ________________________________ From: Vincent Li <vincent.mc.li () gmail com<mailto:vincent.mc.li () gmail com>> Sent: Thursday, October 27, 2016 8:45 PM To: Russ Cc: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Subject: Re: [Snort-devel] snort inline mode and bridge thanks! I guess daily signatures update is reloadable config for snort reload, so I will just use reload. On Thu, Oct 27, 2016 at 3:51 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:
On 10/26/16 5:02 PM, Vincent Li wrote:it is not a problem, but some optimal improvement I would like to see. I have a lower end PC with two NIC running snort IPS bridge mode between my ISP modem and my router at home. I use pulledpork to update signatures every day and I scripted snort to restart to take the updated signatures after new signatures finishing downloading. the snort restart takes about 5 minutes to finish and during these 5 minutes period, my home Internet is down since snort start the DAQ bridge after SnortInit which take most of the time I think. btw I have not tried snort reloadYou should try reload, that is exactly what it is for. Snort will keep running during the reload so you don't have that downtime.my question is : can the DAQ bridge be started earlier in the snort startup process, maybe before SnortInit , so that traffic can be passed through early to reduce the network connectivity downtime to minimum.Snort has "fail open" support during startup because some initialization must be done after opening the DAQ interfaces. During that time, which is typically very brief, it will pass packets so your network remains functional. However, most of the startup time is prior to the fail open state. The change you suggest is possible but reload should make it unnecessary.let me know if I made myself clear :) Thanks Vincent On Tue, Oct 25, 2016 at 11:31 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:Please restate the original problem. I don't think fail open is what you are after. On 10/25/16 2:03 PM, Vincent Li wrote:On Thu, Oct 13, 2016 at 8:26 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:Hello Vincent, I haven't tried this before, but when building Snort, there is this build option: "--enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly)" Have you tried this? I would be interested to know if this achieves what you need.so I tried to build snort with --enable-inline-init-failopen, it did not sovle the problem I have. it looks to me the InlineFailOpen is called near to the end of SnortMain after SnortInit (which take most of the time during snort restart) and before PacketLoop(); I tried to hack the code to call InlineFailOpen before SnortInit, but I had memory segment fault after starting up snort and pass traffic through it, I assume some memory has to be allocated before starting up the DAQ bridge, any further clue? maybe some improvement needed in line with the idea of InlineFailOpen ? Thanks Vincent ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Snort Blog<http://blog.snort.org/> blog.snort.org<http://blog.snort.org> Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new ...
------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel
Snort-devel Info Page - lists.sourceforge.net<https://lists.sourceforge.net/lists/listinfo/snort-devel> lists.sourceforge.net<http://lists.sourceforge.net> Your email address: Your name (optional): You may enter a privacy password below. This provides only mild security, but should prevent others from messing with ...
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Snort Blog<http://blog.snort.org/> blog.snort.org<http://blog.snort.org> Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new ...
------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Snort-devel Info Page - lists.sourceforge.net<https://lists.sourceforge.net/lists/listinfo/snort-devel> lists.sourceforge.net<http://lists.sourceforge.net> Your email address: Your name (optional): You may enter a privacy password below. This provides only mild security, but should prevent others from messing with ... Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! Snort Blog<http://blog.snort.org/> blog.snort.org<http://blog.snort.org> Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new ...
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort inline mode and bridge Vincent Li (Oct 13)
- Re: snort inline mode and bridge Y M (Oct 13)
- Re: snort inline mode and bridge Vincent Li (Oct 14)
- Re: snort inline mode and bridge Vincent Li (Oct 25)
- Re: snort inline mode and bridge Russ (Oct 25)
- Re: snort inline mode and bridge Vincent Li (Oct 26)
- Re: snort inline mode and bridge Russ (Oct 27)
- Re: snort inline mode and bridge Vincent Li (Oct 27)
- Re: snort inline mode and bridge Y M (Nov 01)
- Re: snort inline mode and bridge Vincent Li (Nov 01)
- Re: snort inline mode and bridge Y M (Nov 01)
- Re: snort inline mode and bridge Y M (Oct 13)