[Snort-users] How to handle multiple snort sensors

Jeremy Hoel jthoel at ...11827...
Fri Aug 1 12:04:49 EDT 2014

We run pulledpork on one server, on that same server we also configure the
threshold, bpf, modify sid, update script itself, etc.  15 minutes are pp
runs, it makes a tgz of all the files we want, an hour later each of our
servers connects back at random times, gets the new tgz, unzips it and
restarts snort.  we do this 5 times a day (to account for rule
modifications, whitelisting things, etc).

Simple to mange with cron and a bash script.  Easy to track. Works like a

On Fri, Aug 1, 2014 at 2:53 PM, Robert Millott <
robm at ...16885...> wrote:

> All
>    I am setting up about 35 snort sensors across our network, all feeding
> back into a SEIM (arcsight).  I was curious, how does anyone else out there
> handle multiple sensors?  I am looking for a way to quickly (and centrally)
> view snort.conf, threshold.conf, bpf filters, rules enabled or disabled etc
> without having to ssh into each individual host.  I know pulled pork will
> handle pulling rules, but I am looking around to see if any one has a means
> of managing many sensors.
> Thanx
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140801/82fcee65/attachment.html>

More information about the Snort-users mailing list