Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSM: sensors should not update signature reference table #411

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 9 comments
Closed

NSM: sensors should not update signature reference table #411

GoogleCodeExporter opened this issue Mar 24, 2015 · 9 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Have only one copy of barnyard2 that updates signature reference table

Original issue reported on code.google.com by doug.bu...@gmail.com on 6 Nov 2013 at 6:07

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

https://groups.google.com/d/topic/barnyard2-users/IIoyClc7XTc/discussion

"An other and cleaner solution is to only keep 1 dummy barnyard2 
process to generate the sig_ref table, that sensor can even not be 
bound to any snort instance 
and it just need to have a sid-msg.map file and gen-msg.map file that 
is aggregate of all the rules that every sensor monitor (if you 
sensors have different ruleset 
some have xyz rule enable some have abc rule you aggregate a file with 
abc and xyz and it should be fine) 

And every other barnyard2 instances can have 
disable_signature_reference_table configured in the ouput database, so 
that they do not touch sig_reference 
at all. That option will speed up the initialization process of every 
barnyard2 instance and will not impact logging if a error occur in the 
generation of the sig_reference table. 
While delegating that responsability to the dedicated by2 instance 
that will populated it."

Original comment by doug.bu...@gmail.com on 6 Nov 2013 at 6:08

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
3 similar comments
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

NSM:

sensors need the following appended to the snorby output line:
disable_signature_reference_table

rule-update:

source /etc/nsm/securityonion.conf
if [ -d /var/lib/mysql/snorby ] && [ "$SNORBY_ENABLED" = "yes" ]; then
  if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi
  if [ ! -f /etc/nsm/rules/classification.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config
  fi
  if [ ! -f /etc/nsm/rules/reference.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config
  fi
  mysql snorby -e "delete from sig_reference; delete from reference;"
  barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 11:41

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 6:40

  • Changed title: NSM: Have only one copy of barnyard2 that updates signature reference table
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Original comment by doug.bu...@gmail.com on 9 Jun 2014 at 11:58

  • Changed title: NSM: sensors should not update signature reference table
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/pF7U4gjOxOM/discussion

Published:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html

Original comment by doug.bu...@gmail.com on 16 Jun 2014 at 11:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.