Problem
You have made modifications to the rules, and you need Snort to reread them.
Solution
Like many other Unix programs, sending a SIGHUP to Snort will cause it to reread all its configuration files. You need to find out the process ID of Snort and then send it a SIGHUP using the kill command.
[root@frodo rules]# ps -ef | grep snort root 10738 1 0 11:34 ? 00:00:00 snort -D -c /etc/snort/snort.conf -l /var/log/snort [root@frodo rules]# kill -1 10738
Discussion
If you are running Snort as a daemon as discussed in "Running Snort as a Linux Daemon," you need to start Snort with the full path to the executable so that it starts the right binary. Otherwise, someone could insert a compromised Snort binary in the local directory, which would execute instead.
You can, of course, reload all the Snort tables by killing the Snort process completely and starting it up again, although this will take much longer.
See Also
Snort Users Manual
Debugging Snort Rules |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index