[Oisf-users] Suricata rule deployment

Brandon Lattin latt0050 at umn.edu
Thu Jul 16 17:53:42 UTC 2015


We wrote a replacement for oinkmaster/pulledpork that's intended for highly
tuned rulesets and multiple sensors. We were planning on releasing it to
the public, but have been caught up with a million other projects recently.

It generates the rule files (all.rules, .map files, etc), a rule state
config, and some additional reports, which are all pushed to a local github
repo that is pulled by all sensors on Suricata restart. It's probably not
worth all the hassle if you're a smaller shop, but if you're managing a
large number of sensors, it may prove useful.

I'll chat with the lead developer and try and bump up the public release to
the near future.

On Thu, Jul 16, 2015 at 12:42 PM, Alan Wanderley dos Santos <
alan.santos at rnp.br> wrote:

> Hi,
>
> Yes, its possibel. There are a lot of emails about puppet in olders mails
> from this list.
>
> On our environment, we use scripts (on each suricata instance) to get all
> rules from a master server. The master servers is manually updated. In this
> case, i don't think that puppet is necessary because we update (manually)
> just the master.
>
> The Master have a apache server that allow download of rules (.tar.gz
> file). The script on each suricata instance (we call it of engine), get the
> file using curl. The script untar the file, install the rules e restart
> suricata service.
>
> But, we develop this way for supply our own requirement. Maybe, in your
> case, puppet is enough(?).
>
> Best Regards,
>
> -----------------------------------------------
> Alan Santos
> Analista de Segurança
> Centro de Atendimento a Incidentes de Segurança (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
>
> ------------------------------
> *De: *"Saxena, Samiksha" <samiksha.saxena at verizon.com>
> *Para: *"Alan Wanderley dos Santos" <alan.santos at rnp.br>
> *Cc: *oisf-users at lists.openinfosecfoundation.org
> *Enviadas: *Quinta-feira, 16 de julho de 2015 14:23:11
> *Assunto: *Re: [Oisf-users] Suricata rule deployment
>
> Can I use puppet/ansible to install rules on central server and then push
> it with an script or just copy the rules on each suricata instance?
>
>
> From: Alan Wanderley dos Santos <alan.santos at rnp.br>
> Date: Tuesday, July 14, 2015 at 8:35 AM
> To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com>
> Cc: "oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Suricata rule deployment
>
> Hi,
>
> I did a master server with a web gui interface. So, is possible deploy
> rules updates (.tar.gz files) on this web gui. The engines have a shell
> script that download and deploy on each suricata instance. We chose do that
> way because some reasons:
>
> * We have some particulars rules and there are rules with "false positive"
> (i don't know with this is the better word).
> * Make the deploy process user-friendly.
> * We don't have control on suricata instances. Each admin have control
> (user-level) on your own instance.
>
> Sorry for my english mistakes.
>
> Best Regards,
>
> -----------------------------------------------
> Alan Santos
> Analista de Segurança
> Centro de Atendimento a Incidentes de Segurança (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
>
> ------------------------------
> *De: *"Saxena, Samiksha" <samiksha.saxena at verizon.com>
> *Para: *"oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> *Enviadas: *Sexta-feira, 10 de julho de 2015 17:06:04
> *Assunto: *[Oisf-users] Suricata rule deployment
>
> Hi,
>
> I have a question about Suricata rules push. I am thinking to use
> Okinmaster to install rules. Is there a way to have a centrailzed server to
> install all the rules and distribute to all the suricata instances?
>
> Thanks
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150716/9973e196/attachment-0002.html>


More information about the Oisf-users mailing list