Re: Managing many sensors

["Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>]

robert schwartz wrote:

> I have a lot of sensors I'm deploying...
> With rule updates (including tuning the rulesets sitewide) I can get a
> good update scheme using rsync, but the snort.conf file will lose the
> "$HOME_NET" variable and the "sensor_id" variable in the output plugin.
>  

Simple solution used here is to create a subdirectory (I use 
/usr/local/snort) that snort runs in.  This contains a "bin/" 
subdirectory for the snort binary, an "etc" subdir for configuration 
info, "etc/rules/" to hold the snortrules-*.tar.gz data, and so on.  In 
addition to "etc" there's also an "etc.local" directory where I put 
per-sensor configuration information that should not be replicated from 
one sensor to another.  The file /etc/snort.conf has an "include" 
statement that sources "../etc.local/local.conf" and then 
"../etc.local/local.rules" allowing each sensor to be tweaked 
independently.  To push out data, one can then do:

 ssh target "/etc/rc.d/rc.snort stop"
 rsync -a --delete --exclude /etc.local /usr/local/snort/ target:/usr/local/snort/
 ssh target "/etc/rc.d/rc.snort start"

I can update the binary and rules in one swoop.

Kris



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users