[Snort-users] Pulled Pork
cummingsj at ...11827...
Tue Aug 28 13:55:05 EDT 2012
Exactly.. and you don't need to copy the snort.conf over every time, same
with the threshold.conf (those two may well have site/system specific
As to how you sync the files.. scp, rsync, rpm.. whatever you are more
adept / comfortable at/with..
On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane
<scastle at ...14946...>wrote:
> Security Onion does this for the systems defined as sensors only, using
> scp and ssh keys. A short extract from the cron job that is run:
> echo "Copying rules from $SERVERNAME."
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
> I'm sure you can guess how the variables are set.
> In this case, the rules are pulled rather than pushed.
> If you want to run PP on each system in order to customize for each one
> what rules are enabled/modified/disabled, you could have the "parent"
> system put the tarballed rules in an accessible directory, scp them over,
> then run PP with the '-n' parameter so that it won't download a new set of
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
> -----Original Message-----
> From: JJC [mailto:cummingsj at ...11827...]
> Sent: Tuesday, August 28, 2012 11:08
> To: Nicholas Horton
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Pulled Pork
> It's certainly advantageous to do that with something like an RSYNC,
> assuming that you don't need to customize the tuning and local.rules on
> each system. In that case you want to run PP on each system and be able to
> tune for specific things (OS, Application etc...) in that environment / on
> that system.
> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14399...>
> Not sure if I understand my own question perfectly but I'm
> wondering if it's possible to not extract rules on all my field systems.
> More specifically is it good practice or doable to have pulled
> pork running on a development system in my lab and then just push out
> snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
> snort.conf to the field systems?
> Snort.conf would point to those files obviously.
> This would allow only a single system to manage my rules but all
> others would take advantage and have less overhead.
> Plus I could test these new rules on this development system
> before they are pushed out to field sites.
> If that is the whole idea behind pulled pork I apologize. I'm just
> not sure if it has to run on the local snortbox or not.
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
> will include endpoint security, mobile security and the latest in
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users