[Dshield] IPS/IDS solutions--your opinions?
Stig Sandbeck Mathisen
ssm at fnord.no
Thu Jan 24 08:42:43 GMT 2008
"Mar Matthias Darin" <BDarin at tanaya.net> writes:
> Agreed. This has also been my biggest show-stopper as well. I
> manage way too many machines to spend all day transfering sig files
> then logging in to each of them to reset the IDS. I specifically
> look for software that I can clusterize as it make my job a lot
> easier and faster.
You need something like Puppet, then, to handle signatures and reload
if changed across a large number of servers. Here is example config
for a snort class, and a number of nodes using this class.
class snort_class {
package {"snort":
ensure => installed,
}
service {"snort":
ensure => running,
require => Package["snort"],
}
exec {"reload snort":
refreshonly => true,
command => "/etc/init.d/snort reload",
require => Service["snort"],
}
# Set default parameters for all "file" types inside this class
File {
notify => Exec["reload snort"],
require => Service["snort"],
owner => "root",
group => "root",
mode => 400,
}
# list signature files
file {
"/etc/snort/rules/my.rules":
source => "puppet:///snort/my.rules";
"/etc/snort/rules/your.rules":
source => "puppet:///snort/your.rules"
"/etc/snort/rules/other.rules":
content => template("/etc/puppet/templates/snort/other.rules.erb")
}
}
# Create a host template for others to inherit from
node snort_host {
include snort_class
}
# Node list can also be fetched from LDAP or a script.
node 'server1.example.com',
'server2.example.com',
'server3.example.com',
'server256.example.com',
inherits snort_host {
}
--
Stig Sandbeck Mathisen
Trust the Computer, the Computer is your Friend
More information about the list
mailing list