<html><body><div style="font-family: Andale Mono; font-size: 12pt; color: #000000"><div>Hi,</div><div><br data-mce-bogus="1"></div><div>Yes, its possibel. There are a lot of emails about puppet in olders mails from this list.<br></div><div><br data-mce-bogus="1"></div><div>On our environment, we use scripts (on each suricata instance) to get all rules from a master server. The master servers is manually updated. In this case, i don't think that puppet is necessary because we update (manually) just the master.</div><div><br data-mce-bogus="1"></div><div>The Master have a apache server that allow download of rules (.tar.gz file). The script on each suricata instance (we call it of engine), get the file using curl. The script untar the file, install the rules e restart suricata service.</div><div><br></div><div>But, we develop this way for supply our own requirement. Maybe, in your case, puppet is enough(?).</div><div><br data-mce-bogus="1"></div><div>Best Regards,</div><div><br data-mce-bogus="1"></div><div>-----------------------------------------------<br></div><div data-marker="__SIG_PRE__">Alan Santos<br>Analista de Segurança<br>Centro de Atendimento a Incidentes de Segurança (CAIS)<br>Rede Nacional de Ensino e Pesquisa (RNP)<br>(19) 3787-3314 | alan.santos@rnp.br</div><br><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>De: </b>"Saxena, Samiksha" <samiksha.saxena@verizon.com><br><b>Para: </b>"Alan Wanderley dos Santos" <alan.santos@rnp.br><br><b>Cc: </b>oisf-users@lists.openinfosecfoundation.org<br><b>Enviadas: </b>Quinta-feira, 16 de julho de 2015 14:23:11<br><b>Assunto: </b>Re: [Oisf-users] Suricata rule deployment<br></div><br><div data-marker="__QUOTED_TEXT__"><div>Can I use puppet/ansible to install rules on central server and then push it with an script or just copy the rules on each suricata instance?</div><br><br><span id="OLK_SRC_BODY_SECTION"><div style="font-family: Calibri; font-size: 11pt; text-align: left; color: black; border-bottom: medium none; border-left: medium none; border-top: #b5c4df 1pt solid; border-right: medium none; padding: 3pt 0in 0in 0in;" data-mce-style="font-family: Calibri; font-size: 11pt; text-align: left; color: black; border-bottom: medium none; border-left: medium none; border-top: #b5c4df 1pt solid; border-right: medium none; padding: 3pt 0in 0in 0in;"><span style="font-weight: bold;" data-mce-style="font-weight: bold;">From: </span> Alan Wanderley dos Santos <<a href="mailto:alan.santos@rnp.br" target="_blank">alan.santos@rnp.br</a>><br><span style="font-weight: bold;" data-mce-style="font-weight: bold;">Date: </span> Tuesday, July 14, 2015 at 8:35 AM<br><span style="font-weight: bold;" data-mce-style="font-weight: bold;">To: </span> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com" target="_blank">samiksha.saxena@one.verizon.com</a>><br><span style="font-weight: bold;" data-mce-style="font-weight: bold;">Cc: </span> "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br><span style="font-weight: bold;" data-mce-style="font-weight: bold;">Subject: </span> Re: [Oisf-users] Suricata rule deployment<br></div><br><div><div><div style="font-family: Andale Mono; font-size: 12pt; color: #000000;" data-mce-style="font-family: Andale Mono; font-size: 12pt; color: #000000;"><div>Hi,</div><br><div>I did a master server with a web gui interface. So, is possible deploy rules updates (.tar.gz files) on this web gui. The engines have a shell script that download and deploy on each suricata instance. We chose do that way because some reasons:</div><br><div>* We have some particulars rules and there are rules with "false positive" (i don't know with this is the better word).
</div><div>* Make the deploy process user-friendly.</div><div>* We don't have control on suricata instances. Each admin have control (user-level) on your own instance.</div><br><div>Sorry for my english mistakes.</div><br><div>Best Regards,</div><br><div>-----------------------------------------------<br>
Alan Santos<br>
Analista de Segurança<br>
Centro de Atendimento a Incidentes de Segurança (CAIS)<br>
Rede Nacional de Ensino e Pesquisa (RNP)<br>
(19) 3787-3314 | <a href="mailto:alan.santos@rnp.br" target="_blank">alan.santos@rnp.br</a></div><br><hr id="zwchr"><div><b>De: </b>"Saxena, Samiksha" <<a href="mailto:samiksha.saxena@verizon.com" target="_blank">samiksha.saxena@verizon.com</a>><br><b>Para: </b>"<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br><b>Enviadas: </b>Sexta-feira, 10 de julho de 2015 17:06:04<br><b>Assunto: </b>[Oisf-users] Suricata rule deployment<br></div><br><div><div>Hi, </div><br><div>I have a question about Suricata rules push. I am thinking to use Okinmaster to install rules. Is there a way to have a centrailzed server to install all the rules and distribute to all the suricata instances?</div><br><div>Thanks</div><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a></div></div></div></div></span><br></div></div></body></html>