Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Managing many sensors

From: Andreas Östling <andreaso () it su se>
Date: Fri, 2 Jan 2004 21:00:05 +0100 (CET)

On Tue, 30 Dec 2003, robert schwartz wrote:


What is the best way to proceed assuming standard UN*X style tools like
SSH, OpenSSL, Rsync, etc?  Currently I have certificate auth working
from a "master" sensor to the "slave" sensors for SSH and Rsync over
ssh, but the "perfect" way to update rules from master to clients eludes
me.  Any help?


It sounds like your solution is pretty good and I wouldn't know what the 
"perfect" way is. I can only tell you how I did with the rules and 
config part in case it could give some ideas.
Some of the requirements I had:

- Ability to use one global config where rules can be globaly
  enabled/disabled/modified and then also ability to fine-tune 
  rules/config on each sensor (even override global settings if required) 
  and also have each one report all exact changes (as a change in the 
  global config may give different results on different sensors depending 
  on their local configuration, it's nice to be informed of the exact
  resulting diff). Same goes for non-rule stuff like variables and bpf
  filters and such.

- Must work equaly well for official and local rules (hence also 
  multi-line rules for example), and new local rules and other config 
  stuff must only have to be added in one single place

- Must scale well, i.e. number of sensors should not matter at all and
  adding new sensors must be trivial. Everything must be easy to script
  and a GUI should be optional, not required.

The solution for me was to run Oinkmaster on each sensor to grab rules 
and other configs from a central host (which itself has first updated and
processed them with a global Oinkmaster config). To keep things simple I
use one tarball for official rules and another for local stuff, and they
go to different output directories.

One thing I like to take advantage of is the fact that Snort (and 
Oinkmaster as well if you use that) can use include files, so you can
reduce admin overhead by using multiple config files. I use this by 
having one global snort config (containing all common stuff) and also one
sensor-specific config for each sensor. They are also distributed with
Oinkmaster just as the other files.

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: