Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: (Snort-users) Rule management

From: <sandro.poppi () wacker com>
Date: Tue, 27 Nov 2001 13:15:00 +0100

Well,

although it's running on W2k I'm using IDS Policy Manager (www.activeworks.com)
to manage my linux sensors which can create updates using the actual
snortrules.tar.gz file from www.snort.org and MERGE both the rule files and the
classification.config changes to the existing policy without touching
slef-defined or adjusted rules which in my case saves me a huge amount of time.

With IDSPM you can create one policy for n sensors or a separate policy for each
sensor with the ability (among others) to do bulk-downloads or update each
sensor separately. The download can be down via ftp or scp (recommended ;)

What's still missing is the ability to restart the sensor but this is on the
todo list, but this this can not be done automatically.

I also was looking for an open source solution for linux but nothing apropriate
could be found, but IDSPM works fine for me now, and maybe the author will
publish the source code (*wink* to Jeff ;)

Maybe not what you would like to hear.

So long,
Sandro


-----Ursprüngliche Nachricht-----
Von: <jlewis () packetnexus com> at internet
Gesendet: Dienstag, 27. November 2001 06:33
An: <snort-users () lists sourceforge net> at Internet
Betreff: [Snort-users] Rule management


I was thinking about all the requests for automatic rule
updates.  I think
this stems from the anti-virus auto update features.  The
thinking is....the
more up to date the sigs are, the better off you are.

What we really need is a rule management tool.  IDScenter
does some of this,
but it runs on Win2k.  (You can manage linux sensors too)

Is anyone updating a master rule list and pushing updates to
sensors?  I
have tossed around different ideas for doing this and thought
maybe I could
get some feedback here.  I was thinking a directory structure that had
folders for each sensor and rules were updated automatically via scp.
Thoughts?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: