[Oisf-users] Suricata rule deployment

Saxena, Samiksha samiksha.saxena at verizon.com
Wed Jul 29 18:10:22 UTC 2015 

Hi,

I am trying to update rules (Live rule swap) without shutting off the suricata engine. I am tried to run this root at LTS-64-1:~ # kill -USR2 ID, but it seems that nothing happened. I didn’t not receive a notification regarding rule reload. Will you please help me what I might be missing.

Thanks
Samiksha




From: <Saxena>, Samiksha <samiksha.saxena at verizon.com<mailto:samiksha.saxena at verizon.com>>
Date: Thursday, July 16, 2015 at 1:59 PM
To: Brandon Lattin <latt0050 at umn.edu<mailto:latt0050 at umn.edu>>, oisf-users <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: Re: [Oisf-users] Suricata rule deployment

This sounds interesting. Please let us know when you have a public release of this application.

From: Brandon Lattin <latt0050 at umn.edu<mailto:latt0050 at umn.edu>>
Date: Thursday, July 16, 2015 at 1:53 PM
To: oisf-users <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: Re: [Oisf-users] Suricata rule deployment

We wrote a replacement for oinkmaster/pulledpork that's intended for highly tuned rulesets and multiple sensors. We were planning on releasing it to the public, but have been caught up with a million other projects recently.

It generates the rule files (all.rules, .map files, etc), a rule state config, and some additional reports, which are all pushed to a local github repo that is pulled by all sensors on Suricata restart. It's probably not worth all the hassle if you're a smaller shop, but if you're managing a large number of sensors, it may prove useful.

I'll chat with the lead developer and try and bump up the public release to the near future.

On Thu, Jul 16, 2015 at 12:42 PM, Alan Wanderley dos Santos <alan.santos at rnp.br<mailto:alan.santos at rnp.br>> wrote:
Hi,

Yes, its possibel. There are a lot of emails about puppet in olders mails from this list.

On our environment, we use scripts (on each suricata instance) to get all rules from a master server. The master servers is manually updated. In this case, i don't think that puppet is necessary because we update (manually) just the master.

The Master have a apache server that allow download of rules (.tar.gz file). The script on each suricata instance (we call it of engine), get the file using curl. The script untar the file, install the rules e restart suricata service.

But, we develop this way for supply our own requirement. Maybe, in your case, puppet is enough(?).

Best Regards,

-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br<mailto:alan.santos at rnp.br>

________________________________
De: "Saxena, Samiksha" <samiksha.saxena at verizon.com<mailto:samiksha.saxena at verizon.com>>
Para: "Alan Wanderley dos Santos" <alan.santos at rnp.br<mailto:alan.santos at rnp.br>>
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Enviadas: Quinta-feira, 16 de julho de 2015 14:23:11
Assunto: Re: [Oisf-users] Suricata rule deployment

Can I use puppet/ansible to install rules on central server and then push it with an script or just copy the rules on each suricata instance?


From: Alan Wanderley dos Santos <alan.santos at rnp.br<mailto:alan.santos at rnp.br>>
Date: Tuesday, July 14, 2015 at 8:35 AM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com<mailto:samiksha.saxena at one.verizon.com>>
Cc: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: Re: [Oisf-users] Suricata rule deployment

Hi,

I did a master server with a web gui interface. So, is possible deploy rules updates (.tar.gz files) on this web gui. The engines have a shell script that download and deploy on each suricata instance. We chose do that way because some reasons:

* We have some particulars rules and there are rules with "false positive" (i don't know with this is the better word).
* Make the deploy process user-friendly.
* We don't have control on suricata instances. Each admin have control (user-level) on your own instance.

Sorry for my english mistakes.

Best Regards,

-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br<mailto:alan.santos at rnp.br>

________________________________
De: "Saxena, Samiksha" <samiksha.saxena at verizon.com<mailto:samiksha.saxena at verizon.com>>
Para: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Enviadas: Sexta-feira, 10 de julho de 2015 17:06:04
Assunto: [Oisf-users] Suricata rule deployment

Hi,

I have a question about Suricata rules push. I am thinking to use Okinmaster to install rules. Is there a way to have a centrailzed server to install all the rules and distribute to all the suricata instances?

Thanks

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150729/664493b7/attachment-0002.html>

More information about the Oisf-users mailing list