[Oisf-users] Live rule swap performance
Anoop Saldanha
anoopsaldanha at gmail.com
Mon Jul 29 03:20:17 UTC 2013
On Mon, Jul 29, 2013 at 12:57 AM, Daniel Wyschogrod <dwyschogrod at bbn.com> wrote:
> I'm working on a system in which I dynamically generate some rules for
> Suricata which I'd like to inject into a running system via the live rule
> swap capability. In particular, I'd like it to also work in IPS mode. I have
> some high level questions for which I couldn't seem to find the answer in
> the documentation:
>
> With live rule swap in place, are the old and new rule sets "double
> buffered" in the sense that the first set is active until the second set is
> put in place?
That's right.
> For existing connections, do the old rules apply?
> For long
> term connections, how long to the old rules stick around?
No. As soon as we replace the old ruleset with the new one, we reset
the rule state for the old flows. But ideally we should continue with
the old ruleset for the existing flows.
> About how long does it take for the new rules to be in effect?
The standard rule load/setup time it would otherwise take if you load
the same ruleset at the start of the engine.
> Is there any way to add "incremental" rules - that is keep all the old rules
> but just add a few new ones?
>
No, but we have some plans for this.
>
> My apologies if I missed this in the documentation. If such documentation
> exists, I'd appreciate a link.
>
Feel free to open any feature tickets if you like.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list