Snort mailing list archives
Re: Managing many sensors
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Fri, 02 Jan 2004 14:16:12 -0500
robert schwartz wrote:
I have a lot of sensors I'm deploying... With rule updates (including tuning the rulesets sitewide) I can get a good update scheme using rsync, but the snort.conf file will lose the "$HOME_NET" variable and the "sensor_id" variable in the output plugin.
Simple solution used here is to create a subdirectory (I use /usr/local/snort) that snort runs in. This contains a "bin/" subdirectory for the snort binary, an "etc" subdir for configuration info, "etc/rules/" to hold the snortrules-*.tar.gz data, and so on. In addition to "etc" there's also an "etc.local" directory where I put per-sensor configuration information that should not be replicated from one sensor to another. The file /etc/snort.conf has an "include" statement that sources "../etc.local/local.conf" and then "../etc.local/local.rules" allowing each sensor to be tweaked independently. To push out data, one can then do:
ssh target "/etc/rc.d/rc.snort stop" rsync -a --delete --exclude /etc.local /usr/local/snort/ target:/usr/local/snort/ ssh target "/etc/rc.d/rc.snort start" I can update the binary and rules in one swoop. Kris ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Managing many sensors Kristofer T. Karas (Jan 02)
- RE: Managing many sensors robert schwartz (Jan 06)
- <Possible follow-ups>
- Re: Managing many sensors Andreas Östling (Jan 02)