[Oisf-users] Live rule swap performance

Daniel Wyschogrod dwyschogrod at bbn.com
Sun Jul 28 19:27:02 UTC 2013

I'm working on a system in which I dynamically generate some rules for Suricata which I'd like to inject into a running system via the live rule swap capability. In particular, I'd like it to also work in IPS mode. I have some high level questions for which I couldn't seem to find the answer in the documentation:

With live rule swap in place, are the old and new rule sets "double buffered" in the sense that the first set is active until the second set is put in place? For existing connections, do the old rules apply? For long term connections, how long to the old rules stick around?
About how long does it take for the new rules to be in effect?
Is there any way to add "incremental" rules - that is keep all the old rules but just add a few new ones?

My apologies if I missed this in the documentation. If such documentation exists, I'd appreciate a link.

Dan Wyschogrod
Dan Wyschogrod

Senior Scientist
Cyber Security
Raytheon/BBN Technologies
10 Moulton St.
Cambridge, MA 02138

dwyschogrod at bbn.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130728/7e8d00c2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130728/7e8d00c2/attachment.bin>

More information about the Oisf-users mailing list