Snort mailing list archives

RE: Asymmetric routing and IDS correlation ?

From: "Biswas, Proneet" <pbiswas () ipolicynet com>
Date: Tue, 23 Mar 2004 11:26:58 -0800

The loadbalancer should work, but are the routers physically close or in different locations.

----------------------------------------------------------------------------------
The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who 
think differently. --

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Josh 
Berry
Sent: Tuesday, March 23, 2004 9:32 AM
To: Glenn Forbes Fleming Larratt
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Asymmetric routing and IDS correlation ?

I am not sure how to do this with Snort alone, but you can use a device
that aggregates traffic such as the TopLayer IDS Balancer, feeding both
SPAN's into the Balancer and spitting them back out of one interface into
the Snort IDS sensor.

Our border is configured with two loadshared connection between
border and core routers, using OSPF loadsharing in its default
(per-packet) mode of operation. Two redundant snort hosts each
have a dedicated, unaddresses, promiscuous-mode tap on each of
the two links.

This creates the nontrivial problem that any attempt to use
stateful features of Snort (or any other IDS) may fail because
of asymmetric routing, thus:

       border
        |  |         +---+
        +--U---------+   + snorthost (only one of two shown)
        |  +---------+   +
        |  |         +---+
        core

If, for the sake of argument, a TCP conversation, occurs:

   Syn
         Syn/Ack
   Ack
         {banner}
   {query1}
         {response1}
   {query2}
         {response}
   Fin
         Ack
         Fin
   Ack

, and the routing and loadsharing is such that inbound traffic takes
the left-hand link and outbound the right-hand, then neither of the
two instances of snort on the snorthost will get enough information
to do even minimal correlations, let alone use "flow" and "session"
keywords.

We know we could make the two links preferred/backup, rather than
equal-value loadshare, but that throws away half our bandwidth.

Question 1: Is there any way for snort to be smart enough to have
one instance looking at both interfaces, or to share state between
two instances?

Question 2: [sort of OT for this list] is there a standards-based way
to make two-way loadsharing "per-conversation", as it were, to obviate
this issue?

Any assistance gratefully received.

      thx,-g
--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Asymmetric routing and IDS correlation ? Glenn Forbes Fleming Larratt (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Rich Adamson (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Josh Berry (Mar 23)
  - Re: Asymmetric routing and IDS correlation ? Jason Haar (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Dirk Geschke (Mar 24)
- Re: Asymmetric routing and IDS correlation ? Michael Richardson (Mar 25)
- <Possible follow-ups>
- RE: Asymmetric routing and IDS correlation ? Biswas, Proneet (Mar 23)