aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: rewrite rule reload doc

Browse Source
pull/2343/head
Victor Julien 10 years ago
parent f867bb61e6
commit e5ee665f24
1 changed files with 15 additions and 55 deletions
Show Stats Download Patch File Download Diff File

70
doc/userguide/rules/live-rule-swap.rst
Unescape Escape View File

@ -1,64 +1,24 @@
Live Rule Reloads
=================
Rule Reloads
============
As of revision - Suricata version 1.3dev (rev 7109a05), Suricata
supports live rule swap. In other words if you decide to
change/update/remove/add rules you can do it on the fly without
stopping Suricata. This is how you can do it.
Suricata can be told to reloads it's rules without restarting.
The live rule reload is available by default without any additional
config changes needed. Lets say you have started Suricata the regular
way with about 11000 rules:
This works by sending Suricata a signal or by using the unix socket. When Suricata is told to reload the rules these are the basic steps it takes:
::
* Load new config
* Load new rules
* Construct new detection engine
* Swap old and new detection engines
* Make sure all threads are updated
* Free old detection engine
root@LTS-64-1:~ # suricata -c /etc/suricata/suricata.yaml -v --af-packet
....
[9907] 13/7/2015 -- 14:53:03 - (detect.c:520) <Info> (SigLoadSignatures) -- 50 rule files processed. 16659 rules successfully loaded, 0 rules failed
[9907] 13/7/2015 -- 14:53:04 - (detect.c:2912) <Info> (SigAddressPrepareStage1) -- 16667 signatures processed. 989 are IP-only rules, 6019 are inspecting packet payload, 12447 inspect application layer, 72 are decoder event only
[9907] 13/7/2015 -- 14:53:04 - (detect.c:2915) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[9907] 13/7/2015 -- 14:53:04 - (detect.c:3548) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[9907] 13/7/2015 -- 14:53:05 - (detect.c:4194) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[9907] 13/7/2015 -- 14:53:06 - (util-threshold-config.c:1176) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[9907] 13/7/2015 -- 14:53:06 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[9907] 13/7/2015 -- 14:53:06 - (util-logopenfile.c:227) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[9907] 13/7/2015 -- 14:53:06 - (util-logopenfile.c:227) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[9907] 13/7/2015 -- 14:53:06 - (runmodes.c:774) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'alert'
[9907] 13/7/2015 -- 14:53:06 - (runmodes.c:774) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'http'
[9907] 13/7/2015 -- 14:53:06 - (runmodes.c:774) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'dns'
[9907] 13/7/2015 -- 14:53:06 - (runmodes.c:774) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'tls'
[9907] 13/7/2015 -- 14:53:06 - (runmodes.c:774) <Info> (RunModeInitializeOutputs) -- enabling 'eve-log' module 'files'
....
...
Suricata will continue to process packets normally during this process. Keep in mind though, that the system should have enough memory for both detection engines.
But there is a new ruleset update and you have made some changes to
some rules and/or added new ones and you would like to do a live swap.
Signal::
Find what is the PID of Suricata:
kill -USR2 $(pidof suricata)
::
Unix socket::
root@LTS-64-1:~ # ps aux |grep suricata
root 9907 56.9 15.9 840624 410544 pts/0 Sl+ 14:52 0:06 suricata -c /etc/suricata/suricata.yaml -v --af-packet
root@LTS-64-1:~ #
suricatasc -c reload-rules
Send the signal:
::
root@LTS-64-1:~ # kill -USR2 9907
Suricata will now reload the rules:
::
[9907] 13/7/2015 -- 14:57:11 - (detect.c:520) <Info> (SigLoadSignatures) -- 50 rule files processed. 16659 rules successfully loaded, 0 rules failed
[9907] 13/7/2015 -- 14:57:11 - (detect.c:2912) <Info> (SigAddressPrepareStage1) -- 16667 signatures processed. 989 are IP-only rules, 6019 are inspecting packet payload, 12447 inspect application layer, 72 are decoder event only
[9907] 13/7/2015 -- 14:57:11 - (detect.c:2915) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[9907] 13/7/2015 -- 14:57:12 - (detect.c:3548) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[9907] 13/7/2015 -- 14:57:13 - (detect.c:4194) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[9907] 13/7/2015 -- 14:57:14 - (util-threshold-config.c:1176) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[9907] 13/7/2015 -- 14:57:14 - (detect-engine.c:543) <Notice> (DetectEngineReloadThreads) -- rule reload starting
[9907] 13/7/2015 -- 14:57:14 - (detect-engine.c:622) <Info> (DetectEngineReloadThreads) -- Live rule swap has swapped 2 old det_ctx's with new ones, along with the new de_ctx
[9907] 13/7/2015 -- 14:58:31 - (detect-engine.c:694) <Notice> (DetectEngineReloadThreads) -- rule reload complete
[9907] 13/7/2015 -- 14:58:31 - (detect.c:4226) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete

Write Preview
Loading…
Cancel
Save