Re: [Snort-users] Restart snort inline without traffic loss?

["Chinmay Mahata" <chinmay_mahata () rediffmail com>]

Also make sure - 
-  you made the default policy for the FORWARD chain in filter table is ACCEPT (for snort inline mode).
- to be more wait/sleep few seconds before restarting snort, so that any queued packets gets serviced.
  or check file /proc/net/netfilter/nfnetlink_queue for queued pkts. 

Regards,




you can write one restart script.
steps 
- remove iptable entries targetting on nf_queue- restart snort- apply iptable entires targetting on nf_queue


On Wed, Feb 6, 2013 at 1:56 AM, Andy <a_w_smith () yahoo co uk> wrote:

Hi,



I am new to snort, I have it installed on a web server running inline mode

with iptables, nfqueue, barnyard2 and snorby.



I've downloaded the emerging threats rules, firstly all the rules are

alerts, do I have to convert these to drop if I want to drop the traffic?



Assuming I do, how do I restart snort without loosing good traffic,

currently if I kill the process and restart I lose about 30 seconds of

traffic while snort restarts, not good on an ecommerce site.



I also would like a fail safe nfqueue bypass in case things go wrong, at the

moment if snort goes down I also get locked out but its on a cron job to

restart if its down for more than 1 minute.



I need some advice please..



Thanks.





------------------------------------------------------------------------------

Free Next-Gen Firewall Hardware Offer

Buy your Sophos next-gen firewall before the end March 2013

and get the hardware for free! Learn more.

http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------

Free Next-Gen Firewall Hardware Offer

Buy your Sophos next-gen firewall before the end March 2013 

and get the hardware for free! Learn more.

http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!