I’m a huge fan of Snort, but in an enterprise deployment where you are managing multiple sensors, a back-end database, web front-end and possibly correlating with other Security tools like in OSSIM, managing your ruleset can get tedious at best. Enter PulledPork – like Oinkmaster it will keep your rules up to date, but making your life easier, you can manage which rules are disabled when it downloads your new ruleset.
Now there are two scenarios for your sensors in a distributed IDS:
- Your sensors are running the same rules and looking for the same traffic –> run a daily cron job of pulledpork (pulledpork.pl -c pulledpork.conf -i disablesid.conf) on one server and rsync to the other sensors in your environment.
- Your sensors have disparate rulesets –> use pulledpork to download all of your rules on your database server, and rsync to your sensors. Then run pulledpork on the sensors themselves, but only invoke the disablesid.conf (pulledpork.pl -i disablesid.conf) file to disable the sids you don’t want to use.
You still need to register with Snort and get yourself an Oinkcode — this is what lets you download the updated signatures. Once you have your Oinkcode, just place it in the config and unless you paid for a subscription you will want to change the following:
rule_file=snortrules-snapshot-2.8_s.tar.gz
to:
rule_file=snortrules-snapshot-2.8.tar.gz
All pretty easy, but now you don’t have to remember to update your signatures or touch each of your sensors when you do!
No comments:
Post a Comment