Reloading Snort Settings

Table of contents:

Problem

You have made modifications to the rules, and you need Snort to reread them.

Solution

Like many other Unix programs, sending a SIGHUP to Snort will cause it to reread all its configuration files. You need to find out the process ID of Snort and then send it a SIGHUP using the kill command.

[root@frodo rules]# ps -ef | grep snort

root 10738 1 0 11:34 ? 00:00:00 snort -D -c

/etc/snort/snort.conf -l /var/log/snort

[root@frodo rules]# kill -1 10738

 

Discussion

If you are running Snort as a daemon as discussed in "Running Snort as a Linux Daemon," you need to start Snort with the full path to the executable so that it starts the right binary. Otherwise, someone could insert a compromised Snort binary in the local directory, which would execute instead.

You can, of course, reload all the Snort tables by killing the Snort process completely and starting it up again, although this will take much longer.

See Also

Snort Users Manual

Debugging Snort Rules

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net