Snort mailing list archives
Asymmetric routing and IDS correlation ?
From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Mon, 22 Mar 2004 16:12:22 -0600 (CST)
Our border is configured with two loadshared connection between border and core routers, using OSPF loadsharing in its default (per-packet) mode of operation. Two redundant snort hosts each have a dedicated, unaddresses, promiscuous-mode tap on each of the two links. This creates the nontrivial problem that any attempt to use stateful features of Snort (or any other IDS) may fail because of asymmetric routing, thus: border | | +---+ +--U---------+ + snorthost (only one of two shown) | +---------+ + | | +---+ core If, for the sake of argument, a TCP conversation, occurs: Syn Syn/Ack Ack {banner} {query1} {response1} {query2} {response} Fin Ack Fin Ack , and the routing and loadsharing is such that inbound traffic takes the left-hand link and outbound the right-hand, then neither of the two instances of snort on the snorthost will get enough information to do even minimal correlations, let alone use "flow" and "session" keywords. We know we could make the two links preferred/backup, rather than equal-value loadshare, but that throws away half our bandwidth. Question 1: Is there any way for snort to be smart enough to have one instance looking at both interfaces, or to share state between two instances? Question 2: [sort of OT for this list] is there a standards-based way to make two-way loadsharing "per-conversation", as it were, to obviate this issue? Any assistance gratefully received. thx,-g -- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt () io com http://www.io.com/~glratt There are imaginary bugs to chase in heaven. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Asymmetric routing and IDS correlation ? Glenn Forbes Fleming Larratt (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Rich Adamson (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Josh Berry (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Jason Haar (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Dirk Geschke (Mar 24)
- Re: Asymmetric routing and IDS correlation ? Michael Richardson (Mar 25)
- <Possible follow-ups>
- RE: Asymmetric routing and IDS correlation ? Biswas, Proneet (Mar 23)