Snort mailing list archives
RE: AW: (Snort-users) Rule management
From: "Jeff Dell" <jdell () activeworx com>
Date: Tue, 27 Nov 2001 07:47:28 -0500
Actually there is a way to restart the sensor automatically with IDSPM.. Create a new file in the same directory as the policy, Call it "update". Include the file in the settings window. When the policy is uploaded to the sensor, that file will be uploaded as well. Then just have a cronjob on the sensor that looks for that new file. When it finds it, the cronjob restarts snort and deletes the file. Jeff
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of sandro.poppi () wacker com Sent: Tuesday, November 27, 2001 7:15 AM To: jlewis () packetnexus com; snort-users () lists sourceforge net Subject: [Snort-users] AW: (Snort-users) Rule management Well, although it's running on W2k I'm using IDS Policy Manager (www.activeworks.com) to manage my linux sensors which can create updates using the actual snortrules.tar.gz file from www.snort.org and MERGE both the rule files and the classification.config changes to the existing policy without touching slef-defined or adjusted rules which in my case saves me a huge amount of time. With IDSPM you can create one policy for n sensors or a separate policy for each sensor with the ability (among others) to do bulk-downloads or update each sensor separately. The download can be down via ftp or scp (recommended ;) What's still missing is the ability to restart the sensor but this is on the todo list, but this this can not be done automatically. I also was looking for an open source solution for linux but nothing apropriate could be found, but IDSPM works fine for me now, and maybe the author will publish the source code (*wink* to Jeff ;) Maybe not what you would like to hear. So long, Sandro-----Ursprüngliche Nachricht----- Von: <jlewis () packetnexus com> at internet Gesendet: Dienstag, 27. November 2001 06:33 An: <snort-users () lists sourceforge net> at Internet Betreff: [Snort-users] Rule management I was thinking about all the requests for automatic ruleupdates. Ithink this stems from the anti-virus auto update features. The thinking is....the more up to date the sigs are, the better off you are. What we really need is a rule management tool. IDScenterdoes some ofthis, but it runs on Win2k. (You can manage linux sensors too) Is anyone updating a master rule list and pushing updatesto sensors?I have tossed around different ideas for doing this and thought maybe I could get some feedback here. I was thinking a directorystructure that hadfolders for each sensor and rules were updatedautomatically via scp.Thoughts? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: (Snort-users) Rule management sandro.poppi (Nov 27)
- RE: AW: (Snort-users) Rule management Jeff Dell (Nov 27)