RE: Managing many sensors

["robert schwartz" <robert () mrsquirrel com>]

To close the loop here then, I have oinkmaster running on the "master"
and it triages the rules to maintain my settings in a "dummy" directory.
When the rules are updated (or even a change to oinkmaster.conf which
fires off oinkmaster so no hand editing of rules is ever done) they are
blasted out to the remote sensors and snort is killed.  Daemontools
starts snort up fresh w/ the new rules.  So my rule management is
sorted.

The last question I have is when I want to upgrade the remote sensors,
do I just overwrite the old snort binary with the new snort binary and
kill the snort process (then daemontools will start the new binary with
the rules from the master)?  Are there other files I need to copy over
to "upgrade" to the newest snort?

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> Kristofer T. Karas
> Sent: Friday, January 02, 2004 11:16 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Managing many sensors
>
>
> robert schwartz wrote:
>
> > I have a lot of sensors I'm deploying...
> > With rule updates (including tuning the rulesets sitewide) I 
> can get a 
> > good update scheme using rsync, but the snort.conf file will 
> lose the 
> > "$HOME_NET" variable and the "sensor_id" variable in the 
> output plugin.
> >  
>
> Simple solution used here is to create a subdirectory (I use 
> /usr/local/snort) that snort runs in.  This contains a "bin/" 
> subdirectory for the snort binary, an "etc" subdir for configuration 
> info, "etc/rules/" to hold the snortrules-*.tar.gz data, and 
> so on.  In 
> addition to "etc" there's also an "etc.local" directory where I put 
> per-sensor configuration information that should not be 
> replicated from 
> one sensor to another.  The file /etc/snort.conf has an "include" 
> statement that sources "../etc.local/local.conf" and then 
> "../etc.local/local.rules" allowing each sensor to be tweaked 
> independently.  To push out data, one can then do:
>
>   ssh target "/etc/rc.d/rc.snort stop"
>   rsync -a --delete --exclude /etc.local /usr/local/snort/ 
> target:/usr/local/snort/
>   ssh target "/etc/rc.d/rc.snort start"
>
> I can update the binary and rules in one swoop.
>
> Kris
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's Free Linux Tutorials.  Learn everything from the 
> bash shell to sys admin. Click now! 
> http://ads.osdn.com/?ad_id=1278&alloc_id=> 3371&op=click
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listin> fo/snort-users
>
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users