NSM: sensors should not update signature reference table

[GoogleCodeExporter]

Have only one copy of barnyard2 that updates signature reference table

Original issue reported on code.google.com by doug.bu...@gmail.com on 6 Nov 2013 at 6:07

[GoogleCodeExporter]

https://groups.google.com/d/topic/barnyard2-users/IIoyClc7XTc/discussion

"An other and cleaner solution is to only keep 1 dummy barnyard2 
process to generate the sig_ref table, that sensor can even not be 
bound to any snort instance 
and it just need to have a sid-msg.map file and gen-msg.map file that 
is aggregate of all the rules that every sensor monitor (if you 
sensors have different ruleset 
some have xyz rule enable some have abc rule you aggregate a file with 
abc and xyz and it should be fine) 

And every other barnyard2 instances can have 
disable_signature_reference_table configured in the ouput database, so 
that they do not touch sig_reference 
at all. That option will speed up the initialization process of every 
barnyard2 instance and will not impact logging if a error occur in the 
generation of the sig_reference table. 
While delegating that responsability to the dedicated by2 instance 
that will populated it."

Original comment by doug.bu...@gmail.com on 6 Nov 2013 at 6:08

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

NSM:

sensors need the following appended to the snorby output line:
disable_signature_reference_table

rule-update:

source /etc/nsm/securityonion.conf
if [ -d /var/lib/mysql/snorby ] && [ "$SNORBY_ENABLED" = "yes" ]; then
  if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi
  if [ ! -f /etc/nsm/rules/classification.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config
  fi
  if [ ! -f /etc/nsm/rules/reference.config ]; then
                grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config
  fi
  mysql snorby -e "delete from sig_reference; delete from reference;"
  barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 11:41

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by doug.bu...@gmail.com on 6 Jun 2014 at 6:40

• Changed title: NSM: Have only one copy of barnyard2 that updates signature reference table
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by doug.bu...@gmail.com on 9 Jun 2014 at 11:58

• Changed title: NSM: sensors should not update signature reference table
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/pF7U4gjOxOM/discussion

Published:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html

Original comment by doug.bu...@gmail.com on 16 Jun 2014 at 11:19

• Changed state: Verified
• Added labels: ****
• Removed labels: ****