IDS mailing list archives
Re: High availability design of NIDS
From: Jose Maria Lopez Hernandez <jkerouac () bgsec com>
Date: Thu, 24 Feb 2005 20:34:50 +0100
El mar, 22-02-2005 a las 18:46 +0100, Jose Maria Lopez Hernandez escribió:
I've installed two snort sensors logging to a MySQL database with internal storage, using heartbeat, drdb and some hacks, in high availability. But it runs under Linux. If you are interested, post another message and I will tell you how I did it, but you talk about Windows, so I don't know if you are interested in the information. Regards.
As I have received four or five private emails asking about this project I did, and I have answered privately, but still people it's asking about information on the list I post what I have sent to the people asking me by private email: The system was a standard heartbeat configuration, but using drbd to provide the internal storage for the high availability system. The system was a passive-active one, so it was not so difficult. We are working now in a similar system in active-active mode, which it's much more difficult to achieve. What we did was to install two snort sensors with the same configuration in two machines, and a MySQL database in each of the machines. We made a partition on each of the machines for the MySQL database storage. Then we used drbd to do a RAID-1 over the crossover ethernet cable we used for the heartbeat UDP. We used the C mode of drbd to assure the data was correctly replicated. With this the passive system had always the same data that the active one, almost in real time. Drbd has a module for heartbeat that allows the passive machine to use the replicated storage when there is a failover. And the mysql and snort daemons where restarted by heartbeat when a failover happened. Then the new snort starts logging to the new database and no data it's lost. If the first machine restarts the second machine acts like a primary drbd server and replicates the data to the first machine. That was the solution we used, but there are others. We had a hub so we didn't have any ARP problems, so we just used IP takeover. The system used some scripts to replicate the snort rules and some more data with rsync and some other things, but basically it's what I have explained. Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- High availability design of NIDS Vincent IP (Feb 22)
- Re: High availability design of NIDS Jose Maria Lopez Hernandez (Feb 22)
- Re: High availability design of NIDS John Galt (Feb 24)
- Re: High availability design of NIDS Jose Maria Lopez Hernandez (Feb 24)
- RE: High availability design of NIDS Gary Halleen (Feb 23)
- <Possible follow-ups>
- Re: High availability design of NIDS Drew Simonis (Feb 22)
- Re: High availability design of NIDS Michael Allgeier (Feb 23)
- Re: High availability design of NIDS Jon Hart (Feb 24)
- Re: High availability design of NIDS SandroMelo-CSO (Feb 24)
- Re: High availability design of NIDS Jose Maria Lopez Hernandez (Feb 22)