Snort mailing list archives

Re: Pulled Pork

From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 28 Aug 2012 17:43:25 +0000

Security Onion does this for the systems defined as sensors only, using scp and ssh keys. A short extract from the cron 
job that is run:

        echo "Copying rules from $SERVERNAME."
        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules $RULES/downloaded.rules
        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules $RULES/local.rules
        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules $RULES/so_rules.rules
        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map /etc/snort/sid-msg.map

I'm sure you can guess how the variables are set.

In this case, the rules are pulled rather than pushed.

If you want to run PP on each system in order to customize for each one what rules are enabled/modified/disabled, you 
could have the "parent" system put the tarballed rules in an accessible directory, scp them over, then run PP with the 
'-n' parameter so that it won't download a new set of rules.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: JJC [mailto:cummingsj () gmail com] 
Sent: Tuesday, August 28, 2012 11:08
To: Nicholas Horton
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulled Pork

It's certainly advantageous to do that with something like an RSYNC, assuming that you don't need to customize the 
tuning and local.rules on each system.  In that case you want to run PP on each system and be able to tune for specific 
things (OS, Application etc...) in that environment / on that system.

JJC


On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets () me com> wrote:


        Not sure if I understand my own question perfectly but I'm wondering if it's possible to not extract rules on 
all my field systems.
        
        More specifically is it good practice or doable to have pulled pork running on a development system in my lab 
and then just push out snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and snort.conf to the 
field systems?
        
        Snort.conf would point to those files obviously.
        
        This would allow only a single system to manage my rules but all others would take advantage and have less 
overhead.
        
        Plus I could test these new rules on this development system before they are pushed out to field sites.
        
        If that is the whole idea behind pulled pork I apologize. I'm just not sure if it has to run on the local 
snortbox or not.
        
        Thanks
        Nick
        
        ------------------------------------------------------------------------------
        Live Security Virtual Conference
        Exclusive live event will cover all the ways today's security and
        threat landscape has changed and how IT managers can respond. Discussions
        will include endpoint security, mobile security and the latest in malware
        threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users
        
        Please visit http://blog.snort.org to stay current on all the latest Snort news!
        



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Pulled Pork Nicholas Horton (Aug 28)
- Re: Pulled Pork JJC (Aug 28)
  - Re: Pulled Pork Nicholas Horton (Aug 28)
  - Re: Pulled Pork Castle, Shane (Aug 28)
    - Re: Pulled Pork JJC (Aug 28)
    - Re: Pulled Pork Jeremy Hoel (Aug 28)
    - Re: Pulled Pork JJ Cummings (Aug 28)
    - Re: Pulled Pork Nicholas Horton (Aug 28)