From: Andreas Östling (andreasoit.su.se)
Date: Fri Jan 02 2004 - 14:00:05 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 30 Dec 2003, robert schwartz wrote:

> What is the best way to proceed assuming standard UN*X style tools like
> SSH, OpenSSL, Rsync, etc? Currently I have certificate auth working
> from a "master" sensor to the "slave" sensors for SSH and Rsync over
> ssh, but the "perfect" way to update rules from master to clients eludes
> me. Any help?

It sounds like your solution is pretty good and I wouldn't know what the
"perfect" way is. I can only tell you how I did with the rules and
config part in case it could give some ideas.
Some of the requirements I had:

- Ability to use one global config where rules can be globaly
  enabled/disabled/modified and then also ability to fine-tune
  rules/config on each sensor (even override global settings if required)
  and also have each one report all exact changes (as a change in the
  global config may give different results on different sensors depending
  on their local configuration, it's nice to be informed of the exact
  resulting diff). Same goes for non-rule stuff like variables and bpf
  filters and such.

- Must work equaly well for official and local rules (hence also
  multi-line rules for example), and new local rules and other config
  stuff must only have to be added in one single place

- Must scale well, i.e. number of sensors should not matter at all and
  adding new sensors must be trivial. Everything must be easy to script
  and a GUI should be optional, not required.

The solution for me was to run Oinkmaster on each sensor to grab rules
and other configs from a central host (which itself has first updated and
processed them with a global Oinkmaster config). To keep things simple I
use one tarball for official rules and another for local stuff, and they
go to different output directories.

One thing I like to take advantage of is the fact that Snort (and
Oinkmaster as well if you use that) can use include files, so you can
reduce admin overhead by using multiple config files. I use this by
having one global snort config (containing all common stuff) and also one
sensor-specific config for each sensor. They are also distributed with
Oinkmaster just as the other files.

/Andreas

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]