Sync suricata srules\thresholds\suppressions between multiple Scirius install

[n00bsteam]

Hi!

What I did: first configured sources on all IDS Scirius CE, updated all rulse, then went to suricata-> ruleset actions-> build & push, after copying two files from IDS-1 / etc / suricata / rules / two files: threshold .config and scirius.rules to another IDS, and the same action "go to suricata-> ruleset actions-> build & push". Unfortunately, this did not lead to any changes on IDS-2, IDS-3, etc., the files are back to the original state of the rules. If I am doing something wrong, please explain the method how to implement it.

Thx community for u hard and great work!

[regit]

Do you have one Scirius CE by probe ? What we do in our commercial product (Scirius Security Platform) is to have on Scirius per multiple probes. If going commercial is out of your scope, you could just then build&push the ruleset to a specific directory and then copy the result to the remote probes.

[n00bsteam]

No, i have 3 Scirius CE installs.

[n00bsteam]

If i copy after build&push threshold .config and scirius.rules from SciriusCE_1 to SciriusCE_2, SciriusCE_3 and etc, overwrite and build&push, threshold .config and scirius.rules at target SciriusCE_1 to SciriusCE_2, SciriusCE_3 and etc, the files are back to the original state of the rules.

[pevma]

Maybe make the changes you wan ton CE1 and then propagate - it will overwrite but it is the intention to have those changes done right ?

[n00bsteam]

No, files, what i move from SciriusCE_1 overwrited by actual settings of SciriusCE_2 after build&push.

[n00bsteam]

The last thing I did and visually it worked, exported all the rules_ * tables from sqlite3 SciriusCE_1 and import them (drop exist befor) to sqlite3 SciriusCE_2\3\4 etc, but looks like its not good method.