Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9 on OpenWrt (18.06.1)

From: wkitty42--- via Snort-users <snort-users () lists snort org>
Date: Fri, 18 Jan 2019 13:17:10 -0500
On 1/18/19 11:47 AM, Posting Stuff via Snort-users wrote:

Hello!
I'm trying to figure out best practice for running Snort on OpenWrt (18.06.01). I can get the package running but there are some challenges: 

1. Setting up rule sets natively is extremely manual.


do you mean writing your own?


2. Correcting rule errors is challenging


your rules or those from somewhere else?
3. Information on best rule sets to use (preprocessor, rules to use, Shared objects) information is non-existing.
there is no "one size fits all"... each network is different and has different requirements... eg: i know of some that deny inbound TOR exit node traffic so they employ snort to detect and alert on those connections so they can be blocked... 


So here are my questions:

1. Can I use pulledpork to process the rules updates off-box using CentOS 7?
you should be able to... the question is how to make them available to snort on your embedded OS device...
2. If the above isn't the right methodology, what is the best way to automate correcting rules errors? 

need an example to understand what "errors" you're speaking of...


3. Is there best practice information about running Snort on embedded OS devices?
i don't know other than turning off one of the file time stamp updates that leads to too many writes and "wears out" SD cards and such...
but(!) if you have a way to connect a USB HD to that device and point it to the rules files on it, that would be something to look into...
i don't know if you can use something like NFS or similar method of mounting the rules directory on a server where you process the rules files but that might be something to look into, too, if the device can handle it... 


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: