[Snort-users] secure server push of snort rules
twhipp at ...63...
Tue Aug 8 07:50:14 EDT 2000
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Fyodor
> Sent: 08 August 2000 09:28
> To: Jeff Seely
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] secure server push of snort rules
> ~ :Fellow snorters,
> ~ : I have 5 machines with 3 interfaces each with their own
> ~ :installs of snort for a grand daddy total of 15 sensors. I'm trying
> ~ :to come up with a way to push out new rules and turn sensors on and
> ~ :off from one centralized machine. This is a "no clear text" network
> ~ :so it would have to be over ssl. Before I even start looking into
> ~ :perl + NetSSLeay I wanted to make sure I wasn't reinventing the
> ~ :wheel. Anyone have any ideas or thoughts?
> Heh.. check out my post to the list about two days ago with `snortdog' in
> subject. I was suggesting to write some sort of daemon/watchdog which
> would perform snort-rules transfer on DNS manner. There are only a few
> lines of code (C) written on this subject though, basically it's only a
> watchdog now, starts snort with it's own command line arguments and
> restarts it when it goes down. The rest of functionality is in development
> now. I will put a link at snortnet.scorpions.net and probably snort.org
> too as soon as there would be something worth to observe.
> if interested in helping the devel. though, drop a line, I will send you
> current snapshot.
when talking about configuration file distribution for a platform monitoring
tool (Spong) it was suggested that it NOT be incorporated within the
Instead why not use rsync (possibly over ssh) to keep files updated and
then HUP snort if any changes are uploaded? From what I understand clients
could poll the main server every minute without any real impact on load or
do you want real-time updates?
just a thought
More information about the Snort-users