I’ve setup a number of Intel feeds on our SecurityOnion server that get distributed to the sensors via the “salt-cp” command. I use mal-dns2bro to grab them. Does the “salt-cp” command act as an atomic move of the intel feed files to the sensors or should I first delete the files from the sensors? Is there a log that shows the updated Intel feed files being read?
Hi Brian,
This question is probably more suited for the Security Onion mailing list (cc’d). If you’re using our OnionSalt scripts, you shouldn’t need to use salt-cp manually. OnionSalt should automatically replicate /opt/bro/share/bro/policy/ from the server to all sensors.
http://blog.securityonion.net/2014/04/new-securityonion-onionsalt-package.html?m=1