[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Dealing with multiple sensors with different threshold.conf files
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2013-06-20 18:47:28
Message-ID: CAK8kjrC=JeYkXa+PFKoDJTX76zPiz4uNAeL2BxTXQcTE4U4c5g () mail ! gmail ! com
[Download RAW message or body]

Hi Robert,

Thanks for your email.  You may want to avoid modifying rule-update as
any changes will be overwritten when we push out new rule-update
packages (a new one is coming soon).  What you may want to do instead
is do these kinds of things in a separate shell script with its own
cron job that runs after rule-update.

Thanks,
Doug

On Thu, Jun 20, 2013 at 2:34 PM, Robert Campbell
<insecuritymatters@gmail.com> wrote:
> I ran across an issue trying to maintain threshold.conf files for all of my \
> sensors. Some of the thresholds applied to all the monitored networks while others \
> applied to individual sensors. Here is how I handled this situation: 
> On the server:
> Create a file /etc/nsm/rules/threshold.conf.global
> Put all of the threshold that apply globally to your network(s).
> 
> Create a file/files for each sensor in /etc/nsm/rules
> For example:
> threshold.conf.sensor1.local
> threshold.conf.sensor2.local
> threshold.conf.sensor3.local
> 
> Put the thresholds that are unique to each sensor in the respective .local file
> 
> On the sensor(s):
> Modify /usr/bin/rule-update as follows:
> 
> Find this line:
> _______________________________________________________
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf $RULES/threshold.conf
> _______________________________________________________
> 
> Change it to this (change sesnor1 to match the name of the sensor & it MUST be the \
> same as the name of the file you created on the server): \
> _______________________________________________________ scp -i "$KEY" \
> $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf.global $RULES/threshold.conf.global \
> scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:$RULES/threshold.conf.sensor1.local \
> $RULES/threshold.conf.local cat $RULES/threshold.conf.global \
> $RULES/threshold.conf.local > $RULES/threshold.conf \
> ________________________________________________________ 
> Save the file. Run rule update to ensure it works as follows:
> sudo /usr/bin/rule-update
> 
> The sensor will download the global file as well as the local file for the sensor. \
> It will then combine into a single file called threshold.conf. 
> This allows you to manage all thresholds from the central server instead of doing \
> it on each sensor. 
> If you know of a better way or a way to improve this then please let me know. \
> Hopefully this is helpful for others out there in the wild. 
> Robert
> 
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/groups/opt_out. 
> 



-- 
Doug Burks
http://securityonion.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]