[Snort-users] AW: (Snort-users) Rule management

Jeff Dell jdell at ...1095...
Tue Nov 27 04:46:11 EST 2001


Actually there is a way to restart the sensor automatically with IDSPM..


Create a new file in the same directory as the policy, Call it "update".
Include the file in the settings window. When the policy is uploaded to
the sensor, that file will be uploaded as well. Then just have a cronjob
on the sensor that looks for that new file. When it finds it, the
cronjob restarts snort and deletes the file.

Jeff

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> sandro.poppi at ...3316...
> Sent: Tuesday, November 27, 2001 7:15 AM
> To: jlewis at ...2449...; snort-users at lists.sourceforge.net
> Subject: [Snort-users] AW: (Snort-users) Rule management
> 
> 
> 
> Well,
> 
> although it's running on W2k I'm using IDS Policy Manager 
> (www.activeworks.com) to manage my linux sensors which can 
> create updates using the actual snortrules.tar.gz file from 
> www.snort.org and MERGE both the rule files and the 
> classification.config changes to the existing policy without 
> touching slef-defined or adjusted rules which in my case 
> saves me a huge amount of time.
> 
> With IDSPM you can create one policy for n sensors or a 
> separate policy for each sensor with the ability (among 
> others) to do bulk-downloads or update each sensor 
> separately. The download can be down via ftp or scp (recommended ;)
> 
> What's still missing is the ability to restart the sensor but 
> this is on the todo list, but this this can not be done automatically.
> 
> I also was looking for an open source solution for linux but 
> nothing apropriate could be found, but IDSPM works fine for 
> me now, and maybe the author will publish the source code 
> (*wink* to Jeff ;)
> 
> Maybe not what you would like to hear.
> 
> So long,
> Sandro
> 
> > -----Ursprüngliche Nachricht-----
> > Von: <jlewis at ...2449...> at internet
> > Gesendet: Dienstag, 27. November 2001 06:33
> > An: <snort-users at lists.sourceforge.net> at Internet
> > Betreff: [Snort-users] Rule management
> >
> >
> > I was thinking about all the requests for automatic rule 
> updates.  I 
> > think this stems from the anti-virus auto update features.  The
> > thinking is....the
> > more up to date the sigs are, the better off you are.
> >
> > What we really need is a rule management tool.  IDScenter 
> does some of 
> > this, but it runs on Win2k.  (You can manage linux sensors too)
> >
> > Is anyone updating a master rule list and pushing updates 
> to sensors?  
> > I have tossed around different ideas for doing this and thought
> > maybe I could
> > get some feedback here.  I was thinking a directory 
> structure that had
> > folders for each sensor and rules were updated 
> automatically via scp.
> > Thoughts?
> >
> > Jason Lewis
> > http://www.packetnexus.com
> > It's not secure "Because they told me it was secure".
> > The people at the other end of the link know less
> > about security than you do. And that's scary.
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 





More information about the Snort-users mailing list