Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Restart snort inline without traffic loss?

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 06 Feb 2013 12:41:09 -0500
On 2/5/2013 15:26, Andy wrote:

Assuming I do, how do I restart snort without loosing good traffic,
currently if I kill the process and restart I lose about 30 seconds of
traffic while snort restarts, not good on an ecommerce site.


do you have snort compiled with "--enable-reload"?? if yes, then you may be able 
to trigger your reload without loosing traffic... with this option, snort will 
reload the config and rules into memory and start using them for *new* 
connections... /existing/ connections will continue to use the old config and 
rules in memory... after those existing connections complete/terminate, snort 
will then flush the old config and rules out of memory and all connections will 
use the new config and rules...

be warned that this may require a "bit" more memory but it should allow you to 
reload without loosing traffic monitoring for that time period...

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: