Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort inline mode and bridge

From: Y M <snort () outlook com>
Date: Tue, 1 Nov 2016 19:10:57 +0000
Yes it does.

YM





On Tue, Nov 1, 2016 at 10:09 PM +0300, "Vincent Li" <vincent.mc.li () gmail com<mailto:vincent.mc.li () gmail com>> 
wrote:

yep, that is one of the thing that I considered initially and didn't use reload, does pulledpork update shared object 
rules ?

On Tue, Nov 1, 2016 at 11:48 AM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:

Keep in mind that updating shared object rules require restarting Snort. If shared object rules are updated and then 
snort is reloaded you will see error/warning messages while Snort is running. Just something to keep in mind if you 
observe the messages.


YM


________________________________
From: Vincent Li <vincent.mc.li () gmail com<mailto:vincent.mc.li () gmail com>>
Sent: Thursday, October 27, 2016 8:45 PM
To: Russ
Cc: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] snort inline mode and bridge

thanks! I guess daily signatures update is reloadable config for snort
reload, so I will just use reload.

On Thu, Oct 27, 2016 at 3:51 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:



On 10/26/16 5:02 PM, Vincent Li wrote:


it is not a problem, but some optimal improvement I would like to see.
I have a lower end PC with two NIC running snort IPS bridge mode
between my ISP modem and my  router at home.  I use pulledpork to
update signatures every day and I scripted snort to restart to take
the updated signatures after new signatures finishing downloading. the
snort restart takes about 5  minutes to finish and during these 5
minutes period, my home Internet is down since snort start the DAQ
bridge after  SnortInit which take most of the time I think. btw I
have not tried snort reload


You should try reload, that is exactly what it is for.  Snort will keep
running during the reload so you don't have that downtime.



my question is : can the DAQ bridge be started earlier in the snort
startup process, maybe before SnortInit , so that traffic can be
passed through early to reduce the network connectivity downtime to
minimum.


Snort has "fail open" support during startup because some initialization
must be done after opening the DAQ interfaces. During that time, which is
typically very brief, it will pass packets so your network remains
functional.  However, most of the startup time is prior to the fail open
state.  The change you suggest is possible but reload should make it
unnecessary.



let me know if I made myself clear :)



Thanks

Vincent

On Tue, Oct 25, 2016 at 11:31 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:


Please restate the original problem.  I don't think fail open is what
you are after.

On 10/25/16 2:03 PM, Vincent Li wrote:


On Thu, Oct 13, 2016 at 8:26 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:


Hello Vincent,


I haven't tried this before, but when building Snort, there is this
build
option:


"--enable-inline-init-failopen  Enable Fail Open during initialization
for
Inline Mode (adds pthread support implicitly)"


Have you tried this? I would be interested to know if this achieves
what you
need.


so I tried to build snort with --enable-inline-init-failopen, it did
not sovle the problem I have.  it looks to me the InlineFailOpen is
called near to the end of  SnortMain after SnortInit (which take most
of the time during snort restart) and before PacketLoop();

I tried to hack the code to call InlineFailOpen before SnortInit, but
I had memory segment fault after starting up snort and pass traffic
through it, I assume some memory has to be allocated before starting
up the DAQ bridge, any further clue?

maybe some improvement needed in line with the idea of InlineFailOpen ?

Thanks

Vincent


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort Blog<http://blog.snort.org/>
blog.snort.org<http://blog.snort.org>
Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release 
from Talos. In this release we introduced 27 new ...







------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel

Snort-devel Info Page - lists.sourceforge.net<https://lists.sourceforge.net/lists/listinfo/snort-devel>
lists.sourceforge.net<http://lists.sourceforge.net>
Your email address: Your name (optional): You may enter a privacy password below. This provides only mild security, but 
should prevent others from messing with ...




Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort Blog<http://blog.snort.org/>
blog.snort.org<http://blog.snort.org>
Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release 
from Talos. In this release we introduced 27 new ...








------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET<http://ASP.NET> CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel
Snort-devel Info Page - lists.sourceforge.net<https://lists.sourceforge.net/lists/listinfo/snort-devel>
lists.sourceforge.net<http://lists.sourceforge.net>
Your email address: Your name (optional): You may enter a privacy password below. This provides only mild security, but 
should prevent others from messing with ...



Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Snort Blog<http://blog.snort.org/>
blog.snort.org<http://blog.snort.org>
Just released: Snort Subscriber Rule Set Update for 10/25/2016 We welcome the introduction of the newest rule release 
from Talos. In this release we introduced 27 new ...





------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: