Snort mailing list archives
uses of multiple sensors - reply & follow-up question
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Tue, 25 Mar 2003 10:52:06 -0500
(see below) I have a response and an add-on question: We are using multiple snort sensors for the following reasons: 1) capacity - we plan on deploying 12 sensors. one box won't be able to handle this. 2) location - with a separate DR site and therefore separate gateway to the Big Bad Internet, we obviously need another box here 3) redundancy. if we have one server monitoring all of our network traffic everywhere, and something fatal happens to that box, suddenly we go from excellent NIDS coverage to none. My follow-up question is this: Does anyone have a good solution in place for multiple, physically separated snort boxes (up to 6 is what I'm thinking)? My options, as I see them, are the following: 1) Configure snort to pump data to a mySQL instance on a separate system. The problem with doing this is that if a network segment goes down (think: DoS) then suddenly I lose all forensic data to that portion of the network. Easy cover-up for an attack (combine DoS & exploits, run free). 2) A different instance of mySQL on each system. Obviously this is terribly unwieldy, especially from an analysis perspective (6 web browsers up looking at 6 different ACID screens? ACK!) 3) Different instance of MySQL on each sensor, and also a central mySQL instance. Configure snort with 2 output databases: the local mySQL instance and the central database. Analysts look at events via ACID from the central database. This fixes the problems with (1) and (2), but couldn't this get terribly CPU-intensive? I've heard multiple output plugins can REALLY kill snort's capacity. 4) Different instance of MySQL on each sensor, and also a central mySQL database. Configure snort to output only to the local database, and on a short schedule (say every 5 mins) pump new events to the central mySQL database via fun scripts & such. Analysts look at events via ACID from the central database. This fixes the problem in (3) but creates two more: a) pain in the butt scripting it all up, and making sure there are no duplicate sid/cid pairs on the central database; b) the central database, which is what analysts will see, is only as up-to-date as my replicate schedule from the remote sensors. Anyone with experience in multiple-sensor environments - if you have comments or recommendations, by all means let us know!!! Mike Cloppert
-----Original Message----- From: sunzi [mailto:sunzi () mod-x co uk] Sent: Thursday, March 20, 2003 7:32 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] uses of multiple sensors Bishan, I use multiple sensors to break up my rulesets according to the systems(s) there protecting. I've been known to create a single node for network-centric attacks, and others for rules directly affecting various operating systems in the LAN. Also, on the actual systems that I run snort (some are physically located on critical servers) I use it to drasticly lighten the load of the sensor in question. For example, on Web servers, I am known to run multiple instances of snort, a primary that is only concerned about port 80, one that looks at everythign else according to O/S, and one that I have ready to go to sniff 100% of traffic from a subnet on that machine. I also have a tendancy to use a highly restricted ruleset and couple it with BlackIce for my Win32 Servers to provide auto-blockage for a limited ruleset of y choosing. It may seem kinda drastic, or even crazy, but it's flexible, and still light on memory when tweaked well. I've been able to easily run upwards of 10 snort nodes on a production Web server that was getting well over 200 concurrant users, and has been known to get 500+. hth, sunzi ----- Original Message ----- From: "Always Bishan" <bishan4u () yahoo co uk> To: <snort-users () lists sourceforge net> Sent: Thursday, March 20, 2003 6:30 AM Subject: [Snort-users] uses of multiple sensorshi snorters, i have 2 snort sensors in my network. one use that i can make out of having multiple sensors is for load balancing, that is , i can put it to watch small networks and thus reduce the load on every instance. i think it would be quite beneficial for all of us, if some snort greats present here can enlighten us more on *uses of having multiple sensors* this will definitely help all a lot of us, now and in future. Thanx in advance. Bishan __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uses of multiple sensors - reply & follow-up question Cloppert, Michael (Mar 25)