Snort mailing list archives
Re: Restart snort inline without traffic loss?
From: "Andy" <a_w_smith () yahoo co uk>
Date: Fri, 8 Feb 2013 09:15:51 -0000
Thanks, I have added 3 rules into dropsid.conf and re-run pulledpork, it
said 3 rules had been set as drop, however I am still seeing alerts for =
the
drop rules, for example in dropsid.conf I have:-
#ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
1:2010908
I am still seeing this though:-
02/08-08:57:28.629171 [**] [1:2010908:6] ET MALWARE Mozilla User-Agent
(Mozilla/5.0) Inbound Likely Fake [**] [Classification: A Network Trojan =
was
Detected] [Priority: 1] {TCP} 198.105.219.58:60340 -> ***
Also seeing the alert in snorby.
I have also tried restarting everything, do I need something else set to
block this?
Thanks,
Andy
-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, February 07, 2013 6:32 PM To: Andy Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Restart snort inline without traffic loss? Look into dropsid.conf in pulledpork. That may help you. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Feb 7, 2013, at 12:55 PM, Andy <a_w_smith () yahoo co uk> wrote: Thanks for all the replies, I am still confused by the rules I am getting with pulledpork, every rule is an alert, none are a drop, so if I want snort to drop bad traffic what do I do? If I manually change an alert rule to a drop rule it will get overwritten on the next download, have I missed something? Andy -----Original Message----- From: Y M [mailto:snort () outlook com] Sent: Wednesday, February 06, 2013 10:35 AM To: Andy Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Restart snort inline without traffic loss? If Snort is configured with reload option such as --enable- reload, then you can supply the -H argument to pulledpork whenever it is run. This will cause Snort to reload the new signatures processed by pulledpork without having to shutdown the Snort process. However, there are certain limits to what can be reloaded, such as dynamic libraries, output plugins, and other configurations from the snort.conf file. YM ________________________________ From: Andy <mailto:a_w_smith () yahoo co uk> Sent: 2/6/2013 1:27 PM To: 'Heine Lysemose' <mailto:lysemose () gmail com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Restart snort inline without traffic loss? Hi, I am already using pulledpork, how can I use this to help
with
my issues?
Thanks,
Andy.
-----Original Message-----
From: Heine Lysemose [mailto:lysemose () gmail com]
Sent: Tuesday, February 05, 2013 9:02 PM
To: Andy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Restart snort inline
without
traffic loss?
Hi Andy
On Feb 5, 2013 9:30 PM, "Andy"
<a_w_smith () yahoo co uk>
wrote:
Hi,
I am new to snort, I have it installed on a
web
server running inline
mode
with iptables, nfqueue, barnyard2 and
snorby.
I've downloaded the emerging threats rules,
firstly all the rules are
alerts, do I have to convert these to drop
if I
want to drop the
traffic?
Have a look at Pulledpork,
http://code.google.com/p/pulledpork/, it
will
do this for you + a lot of other cool things.
Assuming I do, how do I restart snort
without
loosing good traffic,
currently if I kill the process and restart
I lose
about 30 seconds of
traffic while snort restarts, not good on an
ecommerce site.
I also would like a fail safe nfqueue bypass
in
case things go wrong,
at
the
moment if snort goes down I also get locked
out
but its on a cron job
to
restart if its down for more than 1 minute.
I need some advice please..
Thanks.
Regards,
Lysemose
--------------------------------------------------
--------------------
--
------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the
end
March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
users>
Please visit http://blog.snort.org to stay
current
on all the latest
Snort news!
--------------------------------------------------------------
------------
----
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
users
Please visit http://blog.snort.org to stay current on all
the
latest Snort
news!
--------------------------------------------------------------------
----------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Restart snort inline without traffic loss? Andy (Feb 05)
- Re: Restart snort inline without traffic loss? Heine Lysemose (Feb 05)
- Re: Restart snort inline without traffic loss? Andy (Feb 06)
- Re: Restart snort inline without traffic loss? Mitesh Jadia (Feb 06)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 06)
- <Possible follow-ups>
- Re: Restart snort inline without traffic loss? Y M (Feb 06)
- Re: Restart snort inline without traffic loss? Andy (Feb 07)
- Re: Restart snort inline without traffic loss? Joel Esler (Feb 07)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 07)
- Re: Restart snort inline without traffic loss? Andy (Feb 07)
- Re: Restart snort inline without traffic loss? Heine Lysemose (Feb 05)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? Joel Esler (Feb 08)
- Re: Restart snort inline without traffic loss? Jeremy Hoel (Feb 08)
- Re: Restart snort inline without traffic loss? waldo kitty (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)
- Re: Restart snort inline without traffic loss? Y M (Feb 08)
- Re: Restart snort inline without traffic loss? Andy (Feb 08)