[Snort-users] Managing Multiple Snort Sensors

Willst Mail willstmail at ...11827...
Wed Mar 31 18:38:31 EDT 2010


We are running BASE on Apache and take advantage of a centrally
accessible web server to host our ruleset, custom rules,
threshold.conf, an include file of IP group variables, and other
custom files.  Each sensor has a homemade perl script that reads a
"manifest" file - a list of files to download from the web server and
a local path to where the file should go.  The script also invokes
pulledpork to process the rules.  The sensors are configured to run
the script during the middle of the night, but we also have a second
script monitoring a "trigger" file on the web server every 15 minutes.
 That script basically watches for changes to the trigger file, and if
the file is updated then the script calls the first script to update
the sensors.  That way, if we have an emergency rule or config to
deploy, we just touch the file on the web server and we know that
within 15 minutes all of our sensors will be up to date.

This is mostly home-grown stuff, augmenting pulledpork (and oinkmaster
on a few old sensors).  It's not really "managing" the sensors, but at
least making distribution easier.  Someone else on the list mentioned
that Endace provides some sort of console product for roll-your-own
sensors.  Most companies otherwise require you to use their own
distributions or appliances.

On Wed, Mar 31, 2010 at 5:34 PM,
<snort-users-request at lists.sourceforge.net> wrote:

> Message: 4
> Date: Wed, 31 Mar 2010 11:33:57 -1000
> From: "Chan, Wilson" <wchan at ...14702...>
> Subject: Re: [Snort-users] Managing Multiple Snort Sensors
> To: "JJ Cummings" <cummingsj at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
>        <Snort-users at lists.sourceforge.net>
> Message-ID:
>        <B26B7D4CD79DC34BB21ABF8CA9CF4ED01AE88D1A at ...14703...>
> Content-Type: text/plain; charset="us-ascii"
>
> Actually, I meant central management for tuning. I google and found IDS
> Policy manager from ActiveWorx.org. Any recommendations?
>
>
>
>
>
> Wilson
>
> From: jcummings at ...1935... [mailto:jcummings at ...1935...] On
> Behalf Of JJ Cummings
> Sent: Wednesday, March 31, 2010 11:23 AM
> To: Chan, Wilson
> Subject: Re: [Snort-users] Managing Multiple Snort Sensors
>
>
>
> Depending on the requirements... pulledpork for rule management and
> rsync to sync the rule mods / updates that pulledpork makes...
>
> On Wed, Mar 31, 2010 at 3:17 PM, Chan, Wilson <wchan at ...14702...>
> wrote:
>
> What does everyone use to manage multiple snort sensors? Thanks!
>
>
>
>
>
> Wilson
>
>
>
>
> ------------------------------------------------------------------------
> ------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 46, Issue 50
> *******************************************
>




More information about the Snort-users mailing list