<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div>Can I use puppet/ansible to install rules on central server and then push it with an script or just copy the rules on each suricata instance?</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Alan Wanderley dos Santos <<a href="mailto:alan.santos@rnp.br">alan.santos@rnp.br</a>><br><span style="font-weight:bold">Date: </span> Tuesday, July 14, 2015 at 8:35 AM<br><span style="font-weight:bold">To: </span> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [Oisf-users] Suricata rule deployment<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div style="font-family: Andale Mono; font-size: 12pt; color: #000000"><div>Hi,</div><div><br data-mce-bogus="1"></div><div>I did a master server with a web gui interface. So, is possible deploy rules updates (.tar.gz files) on this web gui. The engines have a shell script that download and deploy on each suricata instance. We chose do that way because some reasons:</div><div><br data-mce-bogus="1"></div><div>* We have some particulars rules and there are rules with "false positive" (i don't know with this is the better word).
</div><div>* Make the deploy process user-friendly.</div><div>* We don't have control on suricata instances. Each admin have control (user-level) on your own instance.</div><div><br data-mce-bogus="1"></div><div>Sorry for my english mistakes.</div><div><br data-mce-bogus="1"></div><div>Best Regards,</div><div><br></div><div data-marker="__SIG_PRE__">-----------------------------------------------<br>
Alan Santos<br>
Analista de Segurança<br>
Centro de Atendimento a Incidentes de Segurança (CAIS)<br>
Rede Nacional de Ensino e Pesquisa (RNP)<br>
(19) 3787-3314 | <a href="mailto:alan.santos@rnp.br">alan.santos@rnp.br</a></div><br><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>De: </b>"Saxena, Samiksha" <<a href="mailto:samiksha.saxena@verizon.com">samiksha.saxena@verizon.com</a>><br><b>Para: </b>"<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br><b>Enviadas: </b>Sexta-feira, 10 de julho de 2015 17:06:04<br><b>Assunto: </b>[Oisf-users] Suricata rule deployment<br></div><br><div data-marker="__QUOTED_TEXT__"><div>Hi, </div><br><div>I have a question about Suricata rules push. I am thinking to use Okinmaster to install rules. Is there a way to have a centrailzed server to install all the rules and distribute to all the suricata instances?</div><br><div>Thanks</div><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net">http://oisfevents.net</a><br></div></div></div></div></span></body></html>