[Snort-users] Pulled Pork

Nicholas Horton fivetenets at ...14399...
Tue Aug 28 16:22:43 EDT 2012


Perfect. Thanks. I appreciate the great advice. 

Nick

On Aug 28, 2012, at 2:52 PM, JJ Cummings <cummingsj at ...11827...> wrote:

> Gotcha, sounds like you got it figured out then :)
> 
> Sent from the iRoad
> 
> On Aug 28, 2012, at 12:27, Jeremy Hoel <jthoel at ...11827...> wrote:
> 
>> We tar up our conf files, rules, bpf and other things then have the
>> clients grab the tarball via ip/acl and then expand and restart start.
>> 
>> We include snort.conf and threshold.conf as we makes changes to these
>> on a pretty regular basis for adding new IPs to groups or clearing
>> FP's on rules.
>> 
>> 
>> On Tue, Aug 28, 2012 at 5:55 PM, JJC <cummingsj at ...11827...> wrote:
>>> Exactly.. and you don't need to copy the snort.conf over every time, same
>>> with the threshold.conf (those two may well have site/system specific
>>> values).
>>> 
>>> As to how you sync the files.. scp, rsync, rpm.. whatever you are more adept
>>> / comfortable at/with..
>>> 
>>> On Tue, Aug 28, 2012 at 11:43 AM, Castle, Shane <scastle at ...14946...>
>>> wrote:
>>>> 
>>>> Security Onion does this for the systems defined as sensors only, using
>>>> scp and ssh keys. A short extract from the cron job that is run:
>>>> 
>>>>       echo "Copying rules from $SERVERNAME."
>>>>       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/downloaded.rules
>>>> $RULES/downloaded.rules
>>>>       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/local.rules
>>>> $RULES/local.rules
>>>>       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/so_rules.rules
>>>> $RULES/so_rules.rules
>>>>       scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/snort/sid-msg.map
>>>> /etc/snort/sid-msg.map
>>>> 
>>>> I'm sure you can guess how the variables are set.
>>>> 
>>>> In this case, the rules are pulled rather than pushed.
>>>> 
>>>> If you want to run PP on each system in order to customize for each one
>>>> what rules are enabled/modified/disabled, you could have the "parent" system
>>>> put the tarballed rules in an accessible directory, scp them over, then run
>>>> PP with the '-n' parameter so that it won't download a new set of rules.
>>>> 
>>>> --
>>>> Shane Castle
>>>> Data Security Mgr, Boulder County IT
>>>> CISSP GSEC GCIH
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: JJC [mailto:cummingsj at ...11827...]
>>>> Sent: Tuesday, August 28, 2012 11:08
>>>> To: Nicholas Horton
>>>> Cc: snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Pulled Pork
>>>> 
>>>> It's certainly advantageous to do that with something like an RSYNC,
>>>> assuming that you don't need to customize the tuning and local.rules on each
>>>> system.  In that case you want to run PP on each system and be able to tune
>>>> for specific things (OS, Application etc...) in that environment / on that
>>>> system.
>>>> 
>>>> JJC
>>>> 
>>>> 
>>>> On Tue, Aug 28, 2012 at 10:19 AM, Nicholas Horton <fivetenets at ...14399...>
>>>> wrote:
>>>> 
>>>> 
>>>>       Not sure if I understand my own question perfectly but I'm
>>>> wondering if it's possible to not extract rules on all my field systems.
>>>> 
>>>>       More specifically is it good practice or doable to have pulled
>>>> pork running on a development system in my lab and then just push out
>>>> snort.rules, local.rules, so_rules.rules, sid-msg.map, threshold.conf, and
>>>> snort.conf to the field systems?
>>>> 
>>>>       Snort.conf would point to those files obviously.
>>>> 
>>>>       This would allow only a single system to manage my rules but all
>>>> others would take advantage and have less overhead.
>>>> 
>>>>       Plus I could test these new rules on this development system
>>>> before they are pushed out to field sites.
>>>> 
>>>>       If that is the whole idea behind pulled pork I apologize. I'm just
>>>> not sure if it has to run on the local snortbox or not.
>>>> 
>>>>       Thanks
>>>>       Nick
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>>       Live Security Virtual Conference
>>>>       Exclusive live event will cover all the ways today's security and
>>>>       threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>>       will include endpoint security, mobile security and the latest in
>>>> malware
>>>>       threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>       _______________________________________________
>>>>       Snort-users mailing list
>>>>       Snort-users at lists.sourceforge.net
>>>>       Go to this URL to change user options or unsubscribe:
>>>>       https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>       Snort-users list archive:
>>>>       http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>>       Please visit http://blog.snort.org to stay current on all the
>>>> latest Snort news!
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list