IDS mailing list archives

Re: High availability design of NIDS

From: "Michael Allgeier" <Michael.Allgeier () lcra org>
Date: Tue, 22 Feb 2005 15:47:03 -0600

OpenBSD + CARP + snort = failover NIDS

Jose Maria Lopez Hernandez <jkerouac () bgsec com> 2/22/2005 11:46:52 AM >>>

El mar, 22-02-2005 a las 17:26 +0800, Vincent IP escribió:

Hi all,

I am now designing an NIDS solution. In the design, I would like to
include high availability (HA) feature for my NIDS solution so that when
one of the sensor is dead, the other (resilient) sensor can take up the
monitoring job automatically.

If the NIDS is not running in stealthy mode, I think I could use the
Cluster service of Windows to monitor the network in HA mode. (assuming
both sensors can listen to all traffics in the network).

However, if I need to run the NIDS in stealthy mode, could I also use the
Cluster service to monitor the network in HA mode? Are there any products
already enabling HA feature?

Thank you very much.

Regards,
Pong


I've installed two snort sensors logging to a MySQL database with
internal storage, using heartbeat, drdb and some hacks, in high
availability. But it runs under Linux. If you are interested, post 
another message and I will tell you how I did it, but you talk about 
Windows, so I don't know if you are interested in the information.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com 
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com 
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Current thread:

High availability design of NIDS Vincent IP (Feb 22)
- Re: High availability design of NIDS Jose Maria Lopez Hernandez (Feb 22)
  - Re: High availability design of NIDS John Galt (Feb 24)
  - Re: High availability design of NIDS Jose Maria Lopez Hernandez (Feb 24)
- RE: High availability design of NIDS Gary Halleen (Feb 23)
- <Possible follow-ups>
- Re: High availability design of NIDS Drew Simonis (Feb 22)
- Re: High availability design of NIDS Michael Allgeier (Feb 23)
  - Re: High availability design of NIDS Jon Hart (Feb 24)
  - Re: High availability design of NIDS SandroMelo-CSO (Feb 24)