[Snort-users] Managing many sensors

robert schwartz robert at ...5775...
Tue Dec 30 09:36:04 EST 2003


I have a lot of sensors I'm deploying (5 at this time with many more
being rolled out after the pilot) and we're starting to design the rules
management system / update system.  I'm looking at a few tools including
Activeworx or rsync to do "top down" rule and binary management instead
of having the management done on all the remote headless sensors.  

With rule updates (including tuning the rulesets sitewide) I can get a
good update scheme using rsync, but the snort.conf file will lose the
"$HOME_NET" variable and the "sensor_id" variable in the output plugin.
If I update all the rules except snort.conf, I lose the ability to
disable snmp rules on a sitewide basis (for example) by commenting out
that snmp-rules section of the snort.conf and having that change blasted
out to the sensors.  With Activeworx it appears that I need a unique
snort rules configuration for each sensor, and that might be too much
admin overhead.

What is the best way to proceed assuming standard UN*X style tools like
SSH, OpenSSL, Rsync, etc?  Currently I have certificate auth working
from a "master" sensor to the "slave" sensors for SSH and Rsync over
ssh, but the "perfect" way to update rules from master to clients eludes
me.  Any help?

Related issue:  I want to upgrade to 2.1, but I don't want to update all
the remote sensors by hand.  Is the snort binary the only file I have to
push out?  Is there a packing list somewhere in a Makefile or something,
or a way to install all the snort binary's into an alternate directory
structure so I can move those binaries to the remote machines?

I apologize in advance for the redundant nature of these questions, but
although these issues are often discussed, I haven't found a solution
that resonates as "the right one" yet.






More information about the Snort-users mailing list