[Snort-users] Pulled Pork

JJ Cummings cummingsj at ...11827...
Tue Aug 28 14:52:28 EDT 2012


Gotcha, sounds like you got it figured out then :)

Sent from the iRoad

On Aug 28, 2012, at 12:27, Jeremy Hoel <jthoel at ...11827...> wrote:

> We tar up our conf files, rules, bpf and other things then have the
> clients grab the tarball via ip/acl and then expand and restart start.
> 
> We include snort.conf and threshold.conf as we makes changes to these
> on a pretty regular basis for adding new IPs to groups or clearing
> FP's on rules.
> 
> 
> On Tue, Aug 28, 2012 at 5:55 PM, JJC <cummingsj at ...11827...> wrote:
>> Exactly.. and you don't need to copy the snort.conf over every time, same
>> with the threshold.conf (those two may well have site/system specific
>> values).
>> 
>> As to how you sync the files.. scp, rsync, rpm.. whatever you are more adept
>> / comfortable at/with..
>> 
>> On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane <scastle at ...14946...>
>> wrote:
>>> 
>>> Security Onion does this for the systems defined as sensors only, using
>>> scp and ssh keys. A short extract from the cron job that is run:
>>> 
>>>        echo "Copying rules from $SERVERNAME."
>>>        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
>>> $RULES/downloaded.rules
>>>        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
>>> $RULES/local.rules
>>>        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
>>> $RULES/so_rules.rules
>>>        scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
>>> /etc/snort/sid-msg.map
>>> 
>>> I'm sure you can guess how the variables are set.
>>> 
>>> In this case, the rules are pulled rather than pushed.
>>> 
>>> If you want to run PP on each system in order to customize for each one
>>> what rules are enabled/modified/disabled, you could have the "parent" system
>>> put the tarballed rules in an accessible directory, scp them over, then run
>>> PP with the '-n' parameter so that it won't download a new set of rules.
>>> 
>>> --
>>> Shane Castle
>>> Data Security Mgr, Boulder County IT
>>> CISSP GSEC GCIH
>>> 
>>> 
>>> -----Original Message-----
>>> From: JJC [mailto:cummingsj at ...11827...]
>>> Sent: Tuesday, August 28, 2012 11:08
>>> To: Nicholas Horton
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Pulled Pork
>>> 
>>> It's certainly advantageous to do that with something like an RSYNC,
>>> assuming that you don't need to customize the tuning and local.rules on each
>>> system.  In that case you want to run PP on each system and be able to tune
>>> for specific things (OS, Application etc...) in that environment / on that
>>> system.
>>> 
>>> JJC
>>> 
>>> 
>>> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14795.....>
>>> wrote:
>>> 
>>> 
>>>        Not sure if I understand my own question perfectly but I'm
>>> wondering if it's possible to not extract rules on all my field systems.
>>> 
>>>        More specifically is it good practice or doable to have pulled
>>> pork running on a development system in my lab and then just push out
>>> snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
>>> snort.conf to the field systems?
>>> 
>>>        Snort.conf would point to those files obviously.
>>> 
>>>        This would allow only a single system to manage my rules but all
>>> others would take advantage and have less overhead.
>>> 
>>>        Plus I could test these new rules on this development system
>>> before they are pushed out to field sites.
>>> 
>>>        If that is the whole idea behind pulled pork I apologize. I'm just
>>> not sure if it has to run on the local snortbox or not.
>>> 
>>>        Thanks
>>>        Nick
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>>        Live Security Virtual Conference
>>>        Exclusive live event will cover all the ways today's security and
>>>        threat landscape has changed and how IT managers can respond.
>>> Discussions
>>>        will include endpoint security, mobile security and the latest in
>>> malware
>>>        threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>        _______________________________________________
>>>        Snort-users mailing list
>>>        Snort-users at lists.sourceforge.net
>>>        Go to this URL to change user options or unsubscribe:
>>>        https://lists.sourceforge.net/lists/listinfo/snort-users
>>>        Snort-users list archive:
>>>        http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>>        Please visit http://blog.snort.org to stay current on all the
>>> latest Snort news!
>>> 
>>> 
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!




More information about the Snort-users mailing list