[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Dealing with multiple sensors with different threshold.conf files
From: Doug Burks <doug.burks () gmail ! com>
Date: 2013-06-20 18:47:28
Message-ID: CAK8kjrC=JeYkXa+PFKoDJTX76zPiz4uNAeL2BxTXQcTE4U4c5g () mail ! gmail ! com
[Download RAW message or body]
Hi Robert,
Thanks for your email. You may want to avoid modifying rule-update as
any changes will be overwritten when we push out new rule-update
packages (a new one is coming soon). What you may want to do instead
is do these kinds of things in a separate shell script with its own
cron job that runs after rule-update.
Thanks,
Doug
On Thu, Jun 20, 2013 at 2:34 PM, Robert Campbell
<insecuritymatters@gmail.com> wrote:
> I ran across an issue trying to maintain threshold.conf files for all of my \
> sensors. Some of the thresholds applied to all the monitored networks while others \
> applied to individual sensors. Here is how I handled this situation:
> On the server:
> Create a file /etc/nsm/rules/threshold.conf.global
> Put all of the threshold that apply globally to your network(s).
>
> Create a file/files for each sensor in /etc/nsm/rules
> For example:
> threshold.conf.sensor1.local
> threshold.conf.sensor2.local
> threshold.conf.sensor3.local
>
> Put the thresholds that are unique to each sensor in the respective .local file
>
> On the sensor(s):
> Modify /usr/bin/rule-update as follows:
>
> Find this line:
> _______________________________________________________
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf $RULES/threshold.conf
> _______________________________________________________
>
> Change it to this (change sesnor1 to match the name of the sensor & it MUST be the \
> same as the name of the file you created on the server): \
> _______________________________________________________ scp -i "$KEY" \
> $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf.global $RULES/threshold.conf.global \
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf.sensor1.local \
> $RULES/threshold.conf.local cat $RULES/threshold.conf.global \
> $RULES/threshold.conf.local > $RULES/threshold.conf \
> ________________________________________________________
> Save the file. Run rule update to ensure it works as follows:
> sudo /usr/bin/rule-update
>
> The sensor will download the global file as well as the local file for the sensor. \
> It will then combine into a single file called threshold.conf.
> This allows you to manage all thresholds from the central server instead of doing \
> it on each sensor.
> If you know of a better way or a way to improve this then please let me know. \
> Hopefully this is helpful for others out there in the wild.
> Robert
>
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/groups/opt_out.
>
--
Doug Burks
http://securityonion.blogspot.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic