[Snort-users] Pulled Pork

JJC cummingsj at ...11827...
Tue Aug 28 13:55:05 EDT 2012


Exactly.. and you don't need to copy the snort.conf over every time, same
with the threshold.conf (those two may well have site/system specific
values).

As to how you sync the files.. scp, rsync, rpm.. whatever you are more
adept / comfortable at/with..

On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane
<scastle at ...14946...>wrote:

> Security Onion does this for the systems defined as sensors only, using
> scp and ssh keys. A short extract from the cron job that is run:
>
>         echo "Copying rules from $SERVERNAME."
>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
> $RULES/downloaded.rules
>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
> $RULES/local.rules
>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
> $RULES/so_rules.rules
>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
> /etc/snort/sid-msg.map
>
> I'm sure you can guess how the variables are set.
>
> In this case, the rules are pulled rather than pushed.
>
> If you want to run PP on each system in order to customize for each one
> what rules are enabled/modified/disabled, you could have the "parent"
> system put the tarballed rules in an accessible directory, scp them over,
> then run PP with the '-n' parameter so that it won't download a new set of
> rules.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
>
> -----Original Message-----
> From: JJC [mailto:cummingsj at ...11827...]
> Sent: Tuesday, August 28, 2012 11:08
> To: Nicholas Horton
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Pulled Pork
>
> It's certainly advantageous to do that with something like an RSYNC,
> assuming that you don't need to customize the tuning and local.rules on
> each system.  In that case you want to run PP on each system and be able to
> tune for specific things (OS, Application etc...) in that environment / on
> that system.
>
> JJC
>
>
> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14399...>
> wrote:
>
>
>         Not sure if I understand my own question perfectly but I'm
> wondering if it's possible to not extract rules on all my field systems.
>
>         More specifically is it good practice or doable to have pulled
> pork running on a development system in my lab and then just push out
> snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
> snort.conf to the field systems?
>
>         Snort.conf would point to those files obviously.
>
>         This would allow only a single system to manage my rules but all
> others would take advantage and have less overhead.
>
>         Plus I could test these new rules on this development system
> before they are pushed out to field sites.
>
>         If that is the whole idea behind pulled pork I apologize. I'm just
> not sure if it has to run on the local snortbox or not.
>
>         Thanks
>         Nick
>
>
> ------------------------------------------------------------------------------
>         Live Security Virtual Conference
>         Exclusive live event will cover all the ways today's security and
>         threat landscape has changed and how IT managers can respond.
> Discussions
>         will include endpoint security, mobile security and the latest in
> malware
>         threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>         Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120828/71483742/attachment.html>


More information about the Snort-users mailing list