Snort mailing list archives

Re: Reload Snort to use new ruleset

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 28 Jul 2011 13:26:11 -0500

One minor nit.  Your script should restart barnyard before restarting 
snort.  Otherwise it is possible to catch an alert that won't be classified 
because barnyard has not yet reread the sid-msg.map file.

Yes, I said it's a nit.

--On July 26, 2011 8:44:44 PM +0000 "Castle, Shane" 
<scastle () bouldercounty org> wrote:

The command "kill -SIGHUP <pid>" has not worked for some time with Snort
IIRC (nor pkill, which I had been using before) and the suggested init.d
entry for controlling snort does not use it, either, but rather stop and
start:

    restart|reload)
        $0 stop
        $0 start

I suspect the doc needs updating.

Add in using barnyard2 and things get more interesting. Here is my
current cron script that uses oinkmaster (no pulledpork suggestions
please):

# !/bin/bash
cd /etc/snort
/sbin/service barnyard2 stop

./oinkmaster.pl -o ./rules -b ./backup -C ./bleeding-oink.conf -C
./oinkmaster.conf >oink.out 2>&1

./create-sidmap.pl rules >sid-msg.map
/sbin/service snort restart
/sbin/service barnyard2 start




-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell


------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

Reload Snort to use new ruleset RICHARD METZER (Jul 26)
- Re: Reload Snort to use new ruleset Gibson, Nathan J. (HSC) (Jul 26)
  - Re: Reload Snort to use new ruleset Eoin Miller (Jul 26)
- Re: [Spam] Reload Snort to use new ruleset Lay, James (Jul 26)
- Re: Reload Snort to use new ruleset Castle, Shane (Jul 26)
  - Re: Reload Snort to use new ruleset Marcos Rodriguez (Jul 26)
  - Re: Reload Snort to use new ruleset Lay, James (Jul 26)
    - Re: Reload Snort to use new ruleset Joel Esler (Jul 26)
    - Re: Reload Snort to use new ruleset Lay, James (Jul 26)
  - Re: Reload Snort to use new ruleset Paul Schmehl (Jul 28)
- Re: Reload Snort to use new ruleset Agustin Roca (Jul 27)
- <Possible follow-ups>
- Re: Reload Snort to use new ruleset Gregory Zill (Jul 26)