[Oisf-users] Suricata rule deployment

Alan Wanderley dos Santos alan.santos at rnp.br
Thu Jul 16 17:42:38 UTC 2015


Hi, 

Yes, its possibel. There are a lot of emails about puppet in olders mails from this list. 

On our environment, we use scripts (on each suricata instance) to get all rules from a master server. The master servers is manually updated. In this case, i don't think that puppet is necessary because we update (manually) just the master. 

The Master have a apache server that allow download of rules (.tar.gz file). The script on each suricata instance (we call it of engine), get the file using curl. The script untar the file, install the rules e restart suricata service. 

But, we develop this way for supply our own requirement. Maybe, in your case, puppet is enough(?). 

Best Regards, 

----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 


De: "Saxena, Samiksha" <samiksha.saxena at verizon.com> 
Para: "Alan Wanderley dos Santos" <alan.santos at rnp.br> 
Cc: oisf-users at lists.openinfosecfoundation.org 
Enviadas: Quinta-feira, 16 de julho de 2015 14:23:11 
Assunto: Re: [Oisf-users] Suricata rule deployment 

Can I use puppet/ansible to install rules on central server and then push it with an script or just copy the rules on each suricata instance? 


From: Alan Wanderley dos Santos < alan.santos at rnp.br > 
Date: Tuesday, July 14, 2015 at 8:35 AM 
To: "Saxena, Samiksha" < samiksha.saxena at one.verizon.com > 
Cc: " oisf-users at lists.openinfosecfoundation.org " < oisf-users at lists.openinfosecfoundation.org > 
Subject: Re: [Oisf-users] Suricata rule deployment 

Hi, 

I did a master server with a web gui interface. So, is possible deploy rules updates (.tar.gz files) on this web gui. The engines have a shell script that download and deploy on each suricata instance. We chose do that way because some reasons: 

* We have some particulars rules and there are rules with "false positive" (i don't know with this is the better word). 
* Make the deploy process user-friendly. 
* We don't have control on suricata instances. Each admin have control (user-level) on your own instance. 

Sorry for my english mistakes. 

Best Regards, 

----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 


De: "Saxena, Samiksha" < samiksha.saxena at verizon.com > 
Para: " oisf-users at lists.openinfosecfoundation.org " < oisf-users at lists.openinfosecfoundation.org > 
Enviadas: Sexta-feira, 10 de julho de 2015 17:06:04 
Assunto: [Oisf-users] Suricata rule deployment 

Hi, 

I have a question about Suricata rules push. I am thinking to use Okinmaster to install rules. Is there a way to have a centrailzed server to install all the rules and distribute to all the suricata instances? 

Thanks 

_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150716/621108ae/attachment-0002.html>


More information about the Oisf-users mailing list