[Snort-users] Pulled Pork

Jeremy Hoel jthoel at ...11827...
Tue Aug 28 14:27:02 EDT 2012


We tar up our conf files, rules, bpf and other things then have the
clients grab the tarball via ip/acl and then expand and restart start.

We include snort.conf and threshold.conf as we makes changes to these
on a pretty regular basis for adding new IPs to groups or clearing
FP's on rules.


On Tue, Aug 28, 2012 at 5:55 PM, JJC <cummingsj at ...11827...> wrote:
> Exactly.. and you don't need to copy the snort.conf over every time, same
> with the threshold.conf (those two may well have site/system specific
> values).
>
> As to how you sync the files.. scp, rsync, rpm.. whatever you are more adept
> / comfortable at/with..
>
> On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane <scastle at ...14946...>
> wrote:
>>
>> Security Onion does this for the systems defined as sensors only, using
>> scp and ssh keys. A short extract from the cron job that is run:
>>
>>         echo "Copying rules from $SERVERNAME."
>>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
>> $RULES/downloaded.rules
>>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
>> $RULES/local.rules
>>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
>> $RULES/so_rules.rules
>>         scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
>> /etc/snort/sid-msg.map
>>
>> I'm sure you can guess how the variables are set.
>>
>> In this case, the rules are pulled rather than pushed.
>>
>> If you want to run PP on each system in order to customize for each one
>> what rules are enabled/modified/disabled, you could have the "parent" system
>> put the tarballed rules in an accessible directory, scp them over, then run
>> PP with the '-n' parameter so that it won't download a new set of rules.
>>
>> --
>> Shane Castle
>> Data Security Mgr, Boulder County IT
>> CISSP GSEC GCIH
>>
>>
>> -----Original Message-----
>> From: JJC [mailto:cummingsj at ...11827...]
>> Sent: Tuesday, August 28, 2012 11:08
>> To: Nicholas Horton
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Pulled Pork
>>
>> It's certainly advantageous to do that with something like an RSYNC,
>> assuming that you don't need to customize the tuning and local.rules on each
>> system.  In that case you want to run PP on each system and be able to tune
>> for specific things (OS, Application etc...) in that environment / on that
>> system.
>>
>> JJC
>>
>>
>> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14399...>
>> wrote:
>>
>>
>>         Not sure if I understand my own question perfectly but I'm
>> wondering if it's possible to not extract rules on all my field systems.
>>
>>         More specifically is it good practice or doable to have pulled
>> pork running on a development system in my lab and then just push out
>> snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
>> snort.conf to the field systems?
>>
>>         Snort.conf would point to those files obviously.
>>
>>         This would allow only a single system to manage my rules but all
>> others would take advantage and have less overhead.
>>
>>         Plus I could test these new rules on this development system
>> before they are pushed out to field sites.
>>
>>         If that is the whole idea behind pulled pork I apologize. I'm just
>> not sure if it has to run on the local snortbox or not.
>>
>>         Thanks
>>         Nick
>>
>>
>> ------------------------------------------------------------------------------
>>         Live Security Virtual Conference
>>         Exclusive live event will cover all the ways today's security and
>>         threat landscape has changed and how IT managers can respond.
>> Discussions
>>         will include endpoint security, mobile security and the latest in
>> malware
>>         threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>         _______________________________________________
>>         Snort-users mailing list
>>         Snort-users at lists.sourceforge.net
>>         Go to this URL to change user options or unsubscribe:
>>         https://lists.sourceforge.net/lists/listinfo/snort-users
>>         Snort-users list archive:
>>         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>         Please visit http://blog.snort.org to stay current on all the
>> latest Snort news!
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list