Snort mailing list archives

Re: Pulled Pork

From: JJC <cummingsj () gmail com>
Date: Tue, 28 Aug 2012 11:08:08 -0600

It's certainly advantageous to do that with something like an RSYNC,
assuming that you don't need to customize the tuning and local.rules on
each system.  In that case you want to run PP on each system and be able to
tune for specific things (OS, Application etc...) in that environment / on
that system.

JJC

On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets () me com> wrote:

Not sure if I understand my own question perfectly but I'm wondering if
it's possible to not extract rules on all my field systems.

More specifically is it good practice or doable to have pulled pork
running on a development system in my lab and then just push out
snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
snort.conf to the field systems?

Snort.conf would point to those files obviously.

This would allow only a single system to manage my rules but all others
would take advantage and have less overhead.

Plus I could test these new rules on this development system before they
are pushed out to field sites.

If that is the whole idea behind pulled pork I apologize. I'm just not
sure if it has to run on the local snortbox or not.

Thanks
Nick


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Pulled Pork Nicholas Horton (Aug 28)
- Re: Pulled Pork JJC (Aug 28)
  - Re: Pulled Pork Nicholas Horton (Aug 28)
  - Re: Pulled Pork Castle, Shane (Aug 28)
    - Re: Pulled Pork JJC (Aug 28)
    - Re: Pulled Pork Jeremy Hoel (Aug 28)
    - Re: Pulled Pork JJ Cummings (Aug 28)
    - Re: Pulled Pork Nicholas Horton (Aug 28)