NSM: sensors should not update signature reference table #411

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 9 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
Have only one copy of barnyard2 that updates signature reference table

Original issue reported on code.google.com by doug.bu...@gmail.com on 6 Nov 2013 at 6:07

@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

https://groups.google.com/d/topic/barnyard2-users/IIoyClc7XTc/discussion

"An other and cleaner solution is to only keep 1 dummy barnyard2 
process to generate the sig_ref table, that sensor can even not be 
bound to any snort instance 
and it just need to have a sid-msg.map file and gen-msg.map file that 
is aggregate of all the rules that every sensor monitor (if you 
sensors have different ruleset 
some have xyz rule enable some have abc rule you aggregate a file with 
abc and xyz and it should be fine) 

And every other barnyard2 instances can have 
disable_signature_reference_table configured in the ouput database, so 
that they do not touch sig_reference 
at all. That option will speed up the initialization process of every 
barnyard2 instance and will not impact logging if a error occur in the 
generation of the sig_reference table. 
While delegating that responsability to the dedicated by2 instance 
that will populated it."

Original comment by doug.bu...@gmail.com on 6 Nov 2013 at 6:08

  • Added labels: ****
  • Removed labels: ****
https://groups.google.com/d/topic/barnyard2-users/IIoyClc7XTc/discussion

"An other and cleaner solution is to only keep 1 dummy barnyard2 
process to generate the sig_ref table, that sensor can even not be 
bound to any snort instance 
and it just need to have a sid-msg.map file and gen-msg.map file that 
is aggregate of all the rules that every sensor monitor (if you 
sensors have different ruleset 
some have xyz rule enable some have abc rule you aggregate a file with 
abc and xyz and it should be fine) 

And every other barnyard2 instances can have 
disable_signature_reference_table configured in the ouput database, so 
that they do not touch sig_reference 
at all. That option will speed up the initialization process of every 
barnyard2 instance and will not impact logging if a error occur in the 
generation of the sig_reference table. 
While delegating that responsability to the dedicated by2 instance 
that will populated it."

Original comment by doug.bu...@gmail.com on 6 Nov 2013 at 6:08

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

NSM:

sensors need the following appended to the snorby output line:
disable_signature_reference_table

rule-update:

source /etc/nsm/securityonion.conf
if [ -d /var/lib/mysql/snorby ] && [ "$SNORBY_ENABLED" = "yes" ]; then
  if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi
  if [ ! -f /etc/nsm/rules/classification.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config
  fi
  if [ ! -f /etc/nsm/rules/reference.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config
  fi
  mysql snorby -e "delete from sig_reference; delete from reference;"
  barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 11:41

  • Added labels: ****
  • Removed labels: ****
NSM:

sensors need the following appended to the snorby output line:
disable_signature_reference_table

rule-update:

source /etc/nsm/securityonion.conf
if [ -d /var/lib/mysql/snorby ] && [ "$SNORBY_ENABLED" = "yes" ]; then
  if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi
  if [ ! -f /etc/nsm/rules/classification.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config
  fi
  if [ ! -f /etc/nsm/rules/reference.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config
  fi
  mysql snorby -e "delete from sig_reference; delete from reference;"
  barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 11:41

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 6:40

  • Changed title: NSM: Have only one copy of barnyard2 that updates signature reference table
  • Added labels: ****
  • Removed labels: ****

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 6:40

  • Changed title: NSM: Have only one copy of barnyard2 that updates signature reference table
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Original comment by doug.bu...@gmail.com on 9 Jun 2014 at 11:58

  • Changed title: NSM: sensors should not update signature reference table
  • Added labels: ****
  • Removed labels: ****

Original comment by doug.bu...@gmail.com on 9 Jun 2014 at 11:58

  • Changed title: NSM: sensors should not update signature reference table
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/pF7U4gjOxOM/discussion

Published:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html

Original comment by doug.bu...@gmail.com on 16 Jun 2014 at 11:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/pF7U4gjOxOM/discussion

Published:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html

Original comment by doug.bu...@gmail.com on 16 Jun 2014 at 11:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment