Snort mailing list archives
Re: Managing Multiple Snort Sensors
From: Willst Mail <willstmail () gmail com>
Date: Wed, 31 Mar 2010 18:38:31 -0400
We are running BASE on Apache and take advantage of a centrally accessible web server to host our ruleset, custom rules, threshold.conf, an include file of IP group variables, and other custom files. Each sensor has a homemade perl script that reads a "manifest" file - a list of files to download from the web server and a local path to where the file should go. The script also invokes pulledpork to process the rules. The sensors are configured to run the script during the middle of the night, but we also have a second script monitoring a "trigger" file on the web server every 15 minutes. That script basically watches for changes to the trigger file, and if the file is updated then the script calls the first script to update the sensors. That way, if we have an emergency rule or config to deploy, we just touch the file on the web server and we know that within 15 minutes all of our sensors will be up to date. This is mostly home-grown stuff, augmenting pulledpork (and oinkmaster on a few old sensors). It's not really "managing" the sensors, but at least making distribution easier. Someone else on the list mentioned that Endace provides some sort of console product for roll-your-own sensors. Most companies otherwise require you to use their own distributions or appliances. On Wed, Mar 31, 2010 at 5:34 PM, <snort-users-request () lists sourceforge net> wrote:
Message: 4 Date: Wed, 31 Mar 2010 11:33:57 -1000 From: "Chan, Wilson" <wchan () honolulu gov> Subject: Re: [Snort-users] Managing Multiple Snort Sensors To: "JJ Cummings" <cummingsj () gmail com> Cc: "snort-users () lists sourceforge net" <Snort-users () lists sourceforge net> Message-ID: <B26B7D4CD79DC34BB21ABF8CA9CF4ED01AE88D1A () cchmail01 cchnl hnl> Content-Type: text/plain; charset="us-ascii" Actually, I meant central management for tuning. I google and found IDS Policy manager from ActiveWorx.org. Any recommendations? Wilson From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings Sent: Wednesday, March 31, 2010 11:23 AM To: Chan, Wilson Subject: Re: [Snort-users] Managing Multiple Snort Sensors Depending on the requirements... pulledpork for rule management and rsync to sync the rule mods / updates that pulledpork makes... On Wed, Mar 31, 2010 at 3:17 PM, Chan, Wilson <wchan () honolulu gov> wrote: What does everyone use to manage multiple snort sensors? Thanks! Wilson ------------------------------------------------------------------------ ------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 46, Issue 50 *******************************************
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Managing Multiple Snort Sensors Chan, Wilson (Mar 31)
- Message not available
- Re: Managing Multiple Snort Sensors Chan, Wilson (Mar 31)
- Re: Managing Multiple Snort Sensors Russell Fulton (Mar 31)
- Re: Managing Multiple Snort Sensors Chan, Wilson (Mar 31)
- Message not available
- <Possible follow-ups>
- Re: Managing Multiple Snort Sensors Willst Mail (Mar 31)