Snort mailing list archives
Re: Managing many sensors
From: Andreas Östling <andreaso () it su se>
Date: Fri, 2 Jan 2004 21:00:05 +0100 (CET)
On Tue, 30 Dec 2003, robert schwartz wrote:
What is the best way to proceed assuming standard UN*X style tools like SSH, OpenSSL, Rsync, etc? Currently I have certificate auth working from a "master" sensor to the "slave" sensors for SSH and Rsync over ssh, but the "perfect" way to update rules from master to clients eludes me. Any help?
It sounds like your solution is pretty good and I wouldn't know what the "perfect" way is. I can only tell you how I did with the rules and config part in case it could give some ideas. Some of the requirements I had: - Ability to use one global config where rules can be globaly enabled/disabled/modified and then also ability to fine-tune rules/config on each sensor (even override global settings if required) and also have each one report all exact changes (as a change in the global config may give different results on different sensors depending on their local configuration, it's nice to be informed of the exact resulting diff). Same goes for non-rule stuff like variables and bpf filters and such. - Must work equaly well for official and local rules (hence also multi-line rules for example), and new local rules and other config stuff must only have to be added in one single place - Must scale well, i.e. number of sensors should not matter at all and adding new sensors must be trivial. Everything must be easy to script and a GUI should be optional, not required. The solution for me was to run Oinkmaster on each sensor to grab rules and other configs from a central host (which itself has first updated and processed them with a global Oinkmaster config). To keep things simple I use one tarball for official rules and another for local stuff, and they go to different output directories. One thing I like to take advantage of is the fact that Snort (and Oinkmaster as well if you use that) can use include files, so you can reduce admin overhead by using multiple config files. I use this by having one global snort config (containing all common stuff) and also one sensor-specific config for each sensor. They are also distributed with Oinkmaster just as the other files. /Andreas ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Managing many sensors Kristofer T. Karas (Jan 02)
- RE: Managing many sensors robert schwartz (Jan 06)
- <Possible follow-ups>
- Re: Managing many sensors Andreas Östling (Jan 02)