-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathREADME.reload
136 lines (114 loc) · 4.08 KB
/
README.reload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
Reloading a Snort configuration
===============================
Snort now supports reloading a configuration in lieu of restarting Snort in
so as to provide seamless traffic inspection during a configuration change.
A separate thread will parse and create a swappable configuration object while
the main Snort packet processing thread continues inspecting traffic under the
current configuration. When a swappable configuration object is ready for use,
the main Snort packet processing thread will swap in the new configuration to
use and will continue processing under the new configuration. Note that for
some preprocessors, existing session data will continue to use the configuration
under which they were created in order to continue with proper state for that
session. All newly created sessions will, however, use the new configuration.
Enabling support
================
To enable support for reloading a configuration, add "--enable-reload" to
configure when compiling.
There is also an ancillary option that determines how Snort should behave
if any non-reloadable options are changed (see "Non-reloadable configuration
options" below). This option is enabled by default and the behavior is for
Snort to restart if any non-reloadable options are added/modified/removed.
To disable this behavior and have Snort exit instead of restart, add
"--disable-reload-error-restart" in addition to "--enable-reload" to configure
when compiling.
NOTE: This functionality is not currently supported in Windows.
Reloading a configuration
=========================
First modify your snort.conf (the file passed to the '-c' option on the
command line).
Then, to initiate a reload, send Snort a SIGHUP signal, e.g.
$ kill -SIGHUP <snort pid>
NOTE: If reload support is not enabled, Snort will restart (as it always has)
upon receipt of a SIGHUP.
NOTE: An invalid configuration will still result in a fatal error, so
you should test your new configuration before issuing a reload, e.g.
$ snort -c snort.conf -T
Non-reloadable configuration options
====================================
There are a number of option changes that are currently non-reloadable because
they require changes to output, startup memory allocations, etc. Modifying any
of these options will cause Snort to restart (as a SIGHUP previously did) or
exit (if "--disable-reload-error-restart" was used to configure Snort).
Reloadable configuration options of note:
* Adding/modifying/removing text rules and variables are reloadable.
* Adding/modifying/removing preprocessor configurations are reloadable (except
as noted below).
Non-reloadable configuration options of note:
* Adding/modifying/removing shared objects via dynamicdetection, dynamicengine
and dynamicpreprocessor are not reloadable, i.e. any new/modified/removed
shared objects will require a restart.
* Any changes to output will require a restart.
Changes to the following options are not reloadable:
attribute_table
config alertfile
config asn1
config chroot
config daemon
config detection_filter
config flowbits_size
config interface
config logdir
config max_attribute_hosts
config max_attribute_services_per_host
config nolog
config no_promisc
config pkt_count
config rate_filter
config response
config set_gid
config set_uid
config snaplen
config threshold
dynamicdetection
dynamicengine
dynamicpreprocessor
output
In certain cases, only some of the parameters to a config option or
preprocessor configuration are not reloadable. Those parameters are
listed below the relevant config option or preprocessor.
config ppm: max_rule_time <int>
rule-log
config profile_rules
filename
print
sort
config profile_preprocs
filename
print
sort
preprocessor dcerpc2
memcap
preprocessor frag3_global
max_frags
memcap
prealloc_frags
prealloc_memcap
preprocessor perfmonitor
file
snortfile
flow-file
flow-ip-file
preprocessor sfportscan
memcap
logfile
preprocessor stream5_global
memcap
max_tcp
max_udp
max_icmp
track_tcp
track_udp
track_icmp
Caveats:
========
When Snort is run on the primary network interface of an OpenBSD system, the reload and failopen operations may not function as expected.