[Snort-users] Pulled Pork

Nicholas Horton fivetenets at ...14399...
Tue Aug 28 13:40:26 EDT 2012

Got it. Thanks.

Yes all of our field systems would be identical except for their IP subnet. No customization needed. One standard that would apply to all field boxes minus the unique subnet. 

Assuming I have this master set of config files (listed below) that I want to push out to 200 snortboxes would I be better to use RSYNC or build RPMs or something else?

I would need to adjust only a few values in the conf files where I'm suppressing, etc based on a specific host. Each snortbox site although the same equipment and rules would have its own unique ip subnet.

For example (made up):
Site 1 is
Site 2 is

For example let's say I have a stream5 value in snort.conf binding to a specific ip. At another site that same line applies but the subnet is different and needs to be replaced with that different site's subnet.

Thanks again JJC,

On Aug 28, 2012, at 1:08 PM, JJC <cummingsj at ...11827...> wrote:

> It's certainly advantageous to do that with something like an RSYNC, assuming that you don't need to customize the tuning and local.rules on each system.  In that case you want to run PP on each system and be able to tune for specific things (OS, Application etc...) in that environment / on that system.
> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14399...> wrote:
> Not sure if I understand my own question perfectly but I'm wondering if it's possible to not extract rules on all my field systems.
> More specifically is it good practice or doable to have pulled pork running on a development system in my lab and then just push out snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and snort.conf to the field systems?
> Snort.conf would point to those files obviously.
> This would allow only a single system to manage my rules but all others would take advantage and have less overhead.
> Plus I could test these new rules on this development system before they are pushed out to field sites.
> If that is the whole idea behind pulled pork I apologize. I'm just not sure if it has to run on the local snortbox or not.
> Thanks
> Nick
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120828/88f6ac4c/attachment.html>

More information about the Snort-users mailing list