Re: Resetting Snort without reloading everything

[Hui cao <huica () cisco com>]

You can combine ScPcapReset() with SetRotatePerfFileFlag(void) in snort.c

Best,
Hui.

On 03/31/2015 08:33 AM, Mike Cox wrote:
> I'm wanting to run a large number of independent pcaps thru Snort and 
> would like to be able to "reset" Snort after each run so that, 
> particularly, I can move off the alert files after each run and link 
> them with the pcap.  Currently I do separate Snort runs for each pcap 
> but this adds unnecessary overhead and time since the rules, configs, 
> preprocs, etc. have to get loaded for each run.  I do this because 
> Snort maintains an open file handle(s) to the alert file(s) and 
> doesn't always immediately flush alerts to disk so I send a kill 
> signal to Snort and wait until the file handles are released before 
> processing the alert file(s).
>
> Is there an easy way to reset Snort without having to restart it and 
> reload all the rules, etc.? Or is there a way to have the engine flush 
> everything to detection and flush alerts to disk that I could invoke 
> after I know the pcap has all been sent to Snort?
>
> There appears to be some solutions that are close to what I want but 
> not quite -- I know you can send a signal (default SIGUSR2) to Snort 
> to rotate stats and in pcap run mode you can tell Snort to reset after 
> each pcap but it still logs everything to the same alert file(s).
>
> I don't see an inherent way to have Snort do what I want so my next 
> thought is to modify the code to do this.  Could someone point me in 
> the right direction? It seems that this functionality is already there 
> in the code for the most part (indicated by the fact that you can have 
> Snort reset between pcaps in pcap run mode) I just need to be able to 
> call it (e.g. listen for a signal) and make sure that when I reset 
> Snort I am in fact "doing it right" and not missing anything. I'm 
> hoping that some assistance regarding the latter will save me some 
> time going thru the code. At this point I'm mostly concerned about 
> alerts and not so much about engine/perf stats so forcing flushing to 
> detection and flushing to disk (and appropriately dealing with the 
> file handle(s)) is my main concern.  Any help is appreciated.
>
> Thank you.
>
> -Mike Cox
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!