Snort mailing list archives

Re: How to handle multiple snort sensors

From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 1 Aug 2014 16:04:49 +0000

We run pulledpork on one server, on that same server we also configure the
threshold, bpf, modify sid, update script itself, etc.  15 minutes are pp
runs, it makes a tgz of all the files we want, an hour later each of our
servers connects back at random times, gets the new tgz, unzips it and
restarts snort.  we do this 5 times a day (to account for rule
modifications, whitelisting things, etc).

Simple to mange with cron and a bash script.  Easy to track. Works like a
champ.



On Fri, Aug 1, 2014 at 2:53 PM, Robert Millott <
robm () millottandassociates com> wrote:

All
   I am setting up about 35 snort sensors across our network, all feeding
back into a SEIM (arcsight).  I was curious, how does anyone else out there
handle multiple sensors?  I am looking for a way to quickly (and centrally)
view snort.conf, threshold.conf, bpf filters, rules enabled or disabled etc
without having to ssh into each individual host.  I know pulled pork will
handle pulling rules, but I am looking around to see if any one has a means
of managing many sensors.

Thanx

--
Robert Millott
President, Millott and Associates
(443) 255-3588


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to handle multiple snort sensors Robert Millott (Aug 01)
- Re: How to handle multiple snort sensors Doug Burks (Aug 01)
- Re: How to handle multiple snort sensors Jaime Nebrera (Aug 01)
  - Re: How to handle multiple snort sensors Shirkdog (Aug 01)
- Re: How to handle multiple snort sensors Jeremy Hoel (Aug 01)