[Snort-users] Snorticus v1.0 Released.

Paul Ritchey (CSIRT) pritchey at ...516...
Tue Sep 26 09:37:32 EDT 2000

Hello All:

This is to announce the first public release of Snorticus, a small
collection of shell scripts.  It is available at
http://snorticus.baysoft.net, and is under the standard GNU GPL license.

Snorticus is a collection of shell scripts to help you manage running
multiple instances of Snort on multiple sensors (machines).  It's
concept is to help you easily maintain multiple sensors and the
processing of collected data by automating everything for you.  It's
ideal for situations where Snort is being used to monitor multiple
subnets or locations.  For those using Snort at home, you can benefit
too by having it automatically process your collected data if you're
lazy like me ;-)

The first script handles restarting the correct number of instances of
Snort (one for each subnet being monitored) on the sensor and wrapping
up the collected data once an hour.  The wrapped up data from one sensor
combines all of the collected data for the all of the subnets being
monitored, so they are all processed as a whole and not individually.

The second script is used to pull the data back from multiple sensors
and runs it through SnortSnarf.  The data is then ready to be viewed via
a web browser.

There is a third script that will be added shortly, it's written and
working, but I want to run it for a few weeks before releasing it as
part of Snorticus.  This third script allows you to locally maintain
bits and pieces of rule sets that are then combined together and pushed
out to the sensors.  This helps you maintain consistency between sensors
and subnets, but still allow for customization for specific sensor
(site) and subnets at that sensor (site).  You maintain one file that
contains rules that apply to ALL sensors and ALL subnets.  You maintain
separate rule files that apply to SPECIFIC sensors (sites).  You also
maintain separate files, one for each subnet on a given sensor (site)
that applies only to that subnet and contains the necessary
configuration information that normally appears at the top of a rule
file.  These three files are then combined together and pushed out to
the sensor.

Hopefully this will be of some value to other Snort users.  I've
recently seen some postings about running multiple instances of Snort
and thought that now might be an appropriate time to donate back to the

Paul Ritchey
pritchey at ...110...

R. Paul Ritchey (Contractor, Jacob and Sundstrom, Inc.)
Computer Security and Incident Response Team
U. S. Army Research Laboratory Adelphi MD

More information about the Snort-users mailing list