[Oisf-users] Suricata rule deployment

Cooper F. Nelson cnelson at ucsd.edu
Fri Jul 10 20:15:58 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are lots of ways to do this, but keep in mind it breaks the
license agreement of the vendors that provide premium signatures.  Make
sure you are paying for a license per sensor.

Anyways, you can easily have a cron job that keeps a local copy of the
tar.gz file in sync and then use oinkmaster on each host to pull that
copy as per the example in the conf file:

> # Example to use scp to copy the rules archive from another host.
> # Only OpenSSH is tested. See the FAQ for more information.
> # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz

Or, you can have a 'master' sensor and use rsync to keep all the other
sensors in sync with it.

- -Coop

On 7/10/2015 1:06 PM, Saxena, Samiksha wrote:
> Hi, 
> 
> I have a question about Suricata rules push. I am thinking to use
> Okinmaster to install rules. Is there a way to have a centrailzed server
> to install all the rules and distribute to all the suricata instances?
> 
> Thanks
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVoCf+AAoJEKIFRYQsa8FWn78H/3YX6xOT7QPRfADH4eW9DzQB
uFw/LxTqvDqh72wQDYTPdMaOX6tOOom9HxAuwujYqtjirDny4kKIYsDfRMBDathA
Te6z/Dr+QqULiaAnJ4+xXMPap1+FfuoGX5s5rpecae522qtSbPbOy643a3wCFgfj
sk9mrV6wyEJFYnoKik7yzE32yzsXHDRw9jUo70xndFMh3Dt530+r8ohl/GQlAOAh
mRLjvdRV0kRFwCazjUWkM4Z7vAkRpNn+ahIgUt0yndFPXvqn6s4612i0xdfERVyr
QZyWVowkpbykbaPOEvnSu4OnOkZRqr0rCIB7gp4zDqYx+5qHyvisLc7HHCrmwxU=
=z4cx
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list