Reloading Snort Settings

Problem

You have made modifications to the rules, and you need Snort to reread them.

Solution

Like many other Unix programs, sending a SIGHUP to Snort will cause it to reread all its configuration files. You need to find out the process ID of Snort and then send it a SIGHUP using the kill command.

[root@frodo rules]# ps -ef | grep snort root 10738 1 0 11:34 ? 00:00:00 snort -D -c /etc/snort/snort.conf -l /var/log/snort [root@frodo rules]# kill -1 10738

 

Discussion

If you are running Snort as a daemon as discussed in "Running Snort as a Linux Daemon," you need to start Snort with the full path to the executable so that it starts the right binary. Otherwise, someone could insert a compromised Snort binary in the local directory, which would execute instead.

You can, of course, reload all the Snort tables by killing the Snort process completely and starting it up again, although this will take much longer.

See Also

Snort Users Manual

Debugging Snort Rules

Категории