Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulled Pork

From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 28 Aug 2012 12:52:28 -0600
Gotcha, sounds like you got it figured out then :)

Sent from the iRoad

On Aug 28, 2012, at 12:27, Jeremy Hoel <jthoel () gmail com> wrote:


We tar up our conf files, rules, bpf and other things then have the
clients grab the tarball via ip/acl and then expand and restart start.

We include snort.conf and threshold.conf as we makes changes to these
on a pretty regular basis for adding new IPs to groups or clearing
FP's on rules.


On Tue, Aug 28, 2012 at 5:55 PM, JJC <cummingsj () gmail com> wrote:

Exactly.. and you don't need to copy the snort.conf over every time, same
with the threshold.conf (those two may well have site/system specific
values).

As to how you sync the files.. scp, rsync, rpm.. whatever you are more adept
/ comfortable at/with..

On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane <scastle () bouldercounty org>
wrote:


Security Onion does this for the systems defined as sensors only, using
scp and ssh keys. A short extract from the cron job that is run:

       echo "Copying rules from $SERVERNAME."
       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
$RULES/downloaded.rules
       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
$RULES/local.rules
       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
$RULES/so_rules.rules
       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
/etc/snort/sid-msg.map

I'm sure you can guess how the variables are set.

In this case, the rules are pulled rather than pushed.

If you want to run PP on each system in order to customize for each one
what rules are enabled/modified/disabled, you could have the "parent" system
put the tarballed rules in an accessible directory, scp them over, then run
PP with the '-n' parameter so that it won't download a new set of rules.

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: JJC [mailto:cummingsj () gmail com]
Sent: Tuesday, August 28, 2012 11:08
To: Nicholas Horton
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulled Pork

It's certainly advantageous to do that with something like an RSYNC,
assuming that you don't need to customize the tuning and local.rules on each
system.  In that case you want to run PP on each system and be able to tune
for specific things (OS, Application etc...) in that environment / on that
system.

JJC


On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets () me com>
wrote:


       Not sure if I understand my own question perfectly but I'm
wondering if it's possible to not extract rules on all my field systems.

       More specifically is it good practice or doable to have pulled
pork running on a development system in my lab and then just push out
snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
snort.conf to the field systems?

       Snort.conf would point to those files obviously.

       This would allow only a single system to manage my rules but all
others would take advantage and have less overhead.

       Plus I could test these new rules on this development system
before they are pushed out to field sites.

       If that is the whole idea behind pulled pork I apologize. I'm just
not sure if it has to run on the local snortbox or not.

       Thanks
       Nick


------------------------------------------------------------------------------
       Live Security Virtual Conference
       Exclusive live event will cover all the ways today's security and
       threat landscape has changed and how IT managers can respond.
Discussions
       will include endpoint security, mobile security and the latest in
malware
       threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
       _______________________________________________
       Snort-users mailing list
       Snort-users () lists sourceforge net
       Go to this URL to change user options or unsubscribe:
       https://lists.sourceforge.net/lists/listinfo/snort-users
       Snort-users list archive:
       http://www.geocrawler.com/redir-sf.php3?list=snort-users

       Please visit http://blog.snort.org to stay current on all the
latest Snort news!






------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: