Snort mailing list archives
Re: Snort in a H.A. environment.
From: Saad Kadhi <saad () docisland org>
Date: Mon, 20 Jan 2003 11:53:19 +0100
On Mon, Jan 20, 2003 at 10:50:37AM +0100, Federico Lombardo wrote:
And why ? Is the only way to monitor trpassing traffic in real time.
no. that's false. example: node1 is active. a cracker(tm) has started an intrusion attempt on your webserver. the traffic is permitted by the firewall on node1 (handshake completed along the rules). snort has not identified yet the session as an intrusion because the cracker may be using some evasion technique or attack patterns are still missing. node1 fails. node2 takes over (this takes a few seconds if not more). it starts the firewall and snort processes. you are using state synchronisation, so the cracker session will be allowed to proceed. snort on node2 didn't see the first session packets so the pattern is incomplete to identify this as an intrusion attempt. and during takeover, maybe the cracker launched other attempts as well. ok these won't get necessarily get thru but it may indicate a global pattern that will help you see what the cracker is looking for. too bad, they are lost.
Using span ports in a switch ? I don't think this solution will solve my problems... I've a very high traffic MAN.
and? if you have a so busy network, your firewalls are probably already under a heavy load. so you want to stress them more by adding other processes (snort and co.) that will fight for ressources with your checkpoint? I don't see how running snort on a cluster (configured as active-passive) is better than dedicating a box to snort and plug in it on the network segments you want to monitor. if performance is a problem, dedicate as much boxen as you need to snort and use a hardware load balancer for example such as top layer. if 'real time(tm)' is a problem, create IDS farms on the load balancer. in this case, if one box in a farm fails, no pb. the traffic is still monitored by other boxen in the same farm. if running with a single load balancer is a problem, add another one and configure them in active-passive mode.
----- Original Message ----- From: "Patrice Boulanger" <pboulanger () fr externall net> To: "Federico Lombardo" <egopfe () hotmail com> Sent: Monday, January 20, 2003 10:28 AM Subject: RE: [Snort-users] Snort in a H.A. environment.Yes it's a stupid problem... I don't think it's a good idea to run snortonyour firewalls ! -----Message d'origine----- De : snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]De la part de Federico Lombardo Envoyé : lundi 20 janvier 2003 10:19 À : snort-users () lists sourceforge net Objet : [Snort-users] Snort in a H.A. environment. Hi all, I've a stupid problem. I've in a production scenario a checkpoint Firewall-1 Cluster-XL FirewallinActive-StandBy configuration. On the active Node-1 (active) i wanna run snort, and no problems withthis.The problema I want to solve is: How I can make possible to start snort on the other Node-2 when it became active, and how to stop snort in Node-1 when it became standby ??? Every solution is appreciated. Regards, Federico ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr] [pgp keyid: 35592A6D http://pgp.mit.edu] [pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D] --- ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Glenn Forbes Fleming Larratt (Jan 20)
- Re: Snort in a H.A. environment. Erek Adams (Jan 20)
- Re: Snort in a H.A. environment. Bennett Todd (Jan 21)
- <Possible follow-ups>
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)