[Snort-users] Managing many sensors

Andreas Östling andreaso at ...236...
Fri Jan 2 12:01:02 EST 2004


On Tue, 30 Dec 2003, robert schwartz wrote:

> What is the best way to proceed assuming standard UN*X style tools like
> SSH, OpenSSL, Rsync, etc?  Currently I have certificate auth working
> from a "master" sensor to the "slave" sensors for SSH and Rsync over
> ssh, but the "perfect" way to update rules from master to clients eludes
> me.  Any help?

It sounds like your solution is pretty good and I wouldn't know what the 
"perfect" way is. I can only tell you how I did with the rules and 
config part in case it could give some ideas.
Some of the requirements I had:

- Ability to use one global config where rules can be globaly
  enabled/disabled/modified and then also ability to fine-tune 
  rules/config on each sensor (even override global settings if required) 
  and also have each one report all exact changes (as a change in the 
  global config may give different results on different sensors depending 
  on their local configuration, it's nice to be informed of the exact
  resulting diff). Same goes for non-rule stuff like variables and bpf
  filters and such.

- Must work equaly well for official and local rules (hence also 
  multi-line rules for example), and new local rules and other config 
  stuff must only have to be added in one single place

- Must scale well, i.e. number of sensors should not matter at all and
  adding new sensors must be trivial. Everything must be easy to script
  and a GUI should be optional, not required.

The solution for me was to run Oinkmaster on each sensor to grab rules 
and other configs from a central host (which itself has first updated and
processed them with a global Oinkmaster config). To keep things simple I
use one tarball for official rules and another for local stuff, and they
go to different output directories.

One thing I like to take advantage of is the fact that Snort (and 
Oinkmaster as well if you use that) can use include files, so you can
reduce admin overhead by using multiple config files. I use this by 
having one global snort config (containing all common stuff) and also one
sensor-specific config for each sensor. They are also distributed with
Oinkmaster just as the other files.

/Andreas




More information about the Snort-users mailing list