Snort mailing list archives
Managing many sensors
From: "robert schwartz" <robert () mrsquirrel com>
Date: Tue, 30 Dec 2003 09:36:01 -0800
I have a lot of sensors I'm deploying (5 at this time with many more being rolled out after the pilot) and we're starting to design the rules management system / update system. I'm looking at a few tools including Activeworx or rsync to do "top down" rule and binary management instead of having the management done on all the remote headless sensors. With rule updates (including tuning the rulesets sitewide) I can get a good update scheme using rsync, but the snort.conf file will lose the "$HOME_NET" variable and the "sensor_id" variable in the output plugin. If I update all the rules except snort.conf, I lose the ability to disable snmp rules on a sitewide basis (for example) by commenting out that snmp-rules section of the snort.conf and having that change blasted out to the sensors. With Activeworx it appears that I need a unique snort rules configuration for each sensor, and that might be too much admin overhead. What is the best way to proceed assuming standard UN*X style tools like SSH, OpenSSL, Rsync, etc? Currently I have certificate auth working from a "master" sensor to the "slave" sensors for SSH and Rsync over ssh, but the "perfect" way to update rules from master to clients eludes me. Any help? Related issue: I want to upgrade to 2.1, but I don't want to update all the remote sensors by hand. Is the snort binary the only file I have to push out? Is there a packing list somewhere in a Makefile or something, or a way to install all the snort binary's into an alternate directory structure so I can move those binaries to the remote machines? I apologize in advance for the redundant nature of these questions, but although these issues are often discussed, I haven't found a solution that resonates as "the right one" yet. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Managing many sensors robert schwartz (Dec 30)