[Snort-users] Rule management

Jason Haar Jason.Haar at ...294...
Tue Nov 27 13:19:03 EST 2001


On Tue, Nov 27, 2001 at 06:33:37AM -0500, Jason Lewis wrote:
> Is anyone updating a master rule list and pushing updates to sensors?  I
> have tossed around different ideas for doing this and thought maybe I could
> get some feedback here.  I was thinking a directory structure that had
> folders for each sensor and rules were updated automatically via scp.
> Thoughts?

Yup. I have a cronjob that every night downloads snortrules, unpacks it,
and diffs it against the "live" environ. The diffs are Emailed to me. 

When I see there has been an update, I can eyeball what's changed (that's
the "enhanced-security" element :-) and if I like what I see, re-run the
script with the "--live" arg to push those changes live. After going live,
the script rsync's-over-ssh to our other Snort systems...

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list