[Snort-users] Managing many sensors
andreaso at ...236...
Fri Jan 2 12:01:02 EST 2004
On Tue, 30 Dec 2003, robert schwartz wrote:
> What is the best way to proceed assuming standard UN*X style tools like
> SSH, OpenSSL, Rsync, etc? Currently I have certificate auth working
> from a "master" sensor to the "slave" sensors for SSH and Rsync over
> ssh, but the "perfect" way to update rules from master to clients eludes
> me. Any help?
It sounds like your solution is pretty good and I wouldn't know what the
"perfect" way is. I can only tell you how I did with the rules and
config part in case it could give some ideas.
Some of the requirements I had:
- Ability to use one global config where rules can be globaly
enabled/disabled/modified and then also ability to fine-tune
rules/config on each sensor (even override global settings if required)
and also have each one report all exact changes (as a change in the
global config may give different results on different sensors depending
on their local configuration, it's nice to be informed of the exact
resulting diff). Same goes for non-rule stuff like variables and bpf
filters and such.
- Must work equaly well for official and local rules (hence also
multi-line rules for example), and new local rules and other config
stuff must only have to be added in one single place
- Must scale well, i.e. number of sensors should not matter at all and
adding new sensors must be trivial. Everything must be easy to script
and a GUI should be optional, not required.
The solution for me was to run Oinkmaster on each sensor to grab rules
and other configs from a central host (which itself has first updated and
processed them with a global Oinkmaster config). To keep things simple I
use one tarball for official rules and another for local stuff, and they
go to different output directories.
One thing I like to take advantage of is the fact that Snort (and
Oinkmaster as well if you use that) can use include files, so you can
reduce admin overhead by using multiple config files. I use this by
having one global snort config (containing all common stuff) and also one
sensor-specific config for each sensor. They are also distributed with
Oinkmaster just as the other files.
More information about the Snort-users