Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Managing many sensors

From: "robert schwartz" <robert () mrsquirrel com>
Date: Tue, 30 Dec 2003 09:36:01 -0800
I have a lot of sensors I'm deploying (5 at this time with many more
being rolled out after the pilot) and we're starting to design the rules
management system / update system.  I'm looking at a few tools including
Activeworx or rsync to do "top down" rule and binary management instead
of having the management done on all the remote headless sensors.  

With rule updates (including tuning the rulesets sitewide) I can get a
good update scheme using rsync, but the snort.conf file will lose the
"$HOME_NET" variable and the "sensor_id" variable in the output plugin.
If I update all the rules except snort.conf, I lose the ability to
disable snmp rules on a sitewide basis (for example) by commenting out
that snmp-rules section of the snort.conf and having that change blasted
out to the sensors.  With Activeworx it appears that I need a unique
snort rules configuration for each sensor, and that might be too much
admin overhead.

What is the best way to proceed assuming standard UN*X style tools like
SSH, OpenSSL, Rsync, etc?  Currently I have certificate auth working
from a "master" sensor to the "slave" sensors for SSH and Rsync over
ssh, but the "perfect" way to update rules from master to clients eludes
me.  Any help?

Related issue:  I want to upgrade to 2.1, but I don't want to update all
the remote sensors by hand.  Is the snort binary the only file I have to
push out?  Is there a packing list somewhere in a Makefile or something,
or a way to install all the snort binary's into an alternate directory
structure so I can move those binaries to the remote machines?

I apologize in advance for the redundant nature of these questions, but
although these issues are often discussed, I haven't found a solution
that resonates as "the right one" yet.




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: