uses of multiple sensors - reply & follow-up question

["Cloppert, Michael" <Michael.Cloppert () 53 com>]

(see below) I have a response and an add-on question:

We are using multiple snort sensors for the following reasons:
1) capacity - we plan on deploying 12 sensors.  one box won't be able to
handle this.
2) location - with a separate DR site and therefore separate gateway to the
Big Bad Internet, we obviously need another box here
3) redundancy.  if we have one server monitoring all of our network traffic
everywhere, and something fatal happens to that box, suddenly we go from
excellent NIDS coverage to none.

My follow-up question is this:
Does anyone have a good solution in place for multiple, physically separated
snort boxes (up to 6 is what I'm thinking)?  My options, as I see them, are
the following:

1) Configure snort to pump data to a mySQL instance on a separate system.
The problem with doing this is that if a network segment goes down (think:
DoS) then suddenly I lose all forensic data to that portion of the network.
Easy cover-up for an attack (combine DoS & exploits, run free).
2) A different instance of mySQL on each system.  Obviously this is terribly
unwieldy, especially from an analysis perspective (6 web browsers up looking
at 6 different ACID screens?  ACK!)
3) Different instance of MySQL on each sensor, and also a central mySQL
instance.  Configure snort with 2 output databases: the local mySQL instance
and the central database.  Analysts look at events via ACID from the central
database.  This fixes the problems with (1) and (2), but couldn't this get
terribly CPU-intensive?  I've heard multiple output plugins can REALLY kill
snort's capacity.
4) Different instance of MySQL on each sensor, and also a central mySQL
database.  Configure snort to output only to the local database, and on a
short schedule (say every 5 mins) pump new events to the central mySQL
database via fun scripts & such.  Analysts look at events via ACID from the
central database.  This fixes the problem in (3) but creates two more: a)
pain in the butt scripting it all up, and making sure there are no duplicate
sid/cid pairs on the central database; b) the central database, which is
what analysts will see, is only as up-to-date as my replicate schedule from
the remote sensors.

Anyone with experience in multiple-sensor environments - if you have
comments or recommendations, by all means let us know!!!

Mike Cloppert

> -----Original Message-----
> From: sunzi [mailto:sunzi () mod-x co uk]
> Sent: Thursday, March 20, 2003 7:32 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] uses of multiple sensors
>
>
> Bishan,
>
> I use multiple sensors to break up my rulesets according to 
> the systems(s)
> there protecting. I've been known to create a single node for
> network-centric attacks, and others for rules directly 
> affecting various
> operating systems in the LAN.
>
> Also, on the actual systems that I run snort (some are 
> physically located on
> critical servers) I use it to drasticly lighten the load of 
> the sensor in
> question. For example, on Web servers, I am known to run 
> multiple instances
> of snort, a primary that is only concerned about port 80, one 
> that looks at
> everythign else according to O/S, and one that I have ready 
> to go to sniff
> 100% of traffic from a subnet on that machine. I also have a 
> tendancy to use
> a highly restricted ruleset and couple it with BlackIce for 
> my Win32 Servers
> to provide auto-blockage for a limited ruleset of y choosing.
>
> It may seem kinda drastic, or even crazy, but it's flexible, 
> and still light
> on memory when tweaked well. I've been able to easily run 
> upwards of 10
> snort nodes on a production Web server that was getting well over 200
> concurrant users, and has been known to get 500+.
>
> hth,
> sunzi
>
> ----- Original Message -----
> From: "Always Bishan" <bishan4u () yahoo co uk>
> To: <snort-users () lists sourceforge net>
> Sent: Thursday, March 20, 2003 6:30 AM
> Subject: [Snort-users] uses of multiple sensors
>
>
> > hi snorters,
> >
> > i have 2 snort sensors in my network.
> >
> > one use that i can make out of having multiple sensors
> > is for load balancing, that is , i can put it to watch
> > small networks and thus reduce the load on every
> > instance.
> >
> > i think it would be quite beneficial for all of us, if
> > some snort greats present here can enlighten us more
> > on *uses of having multiple sensors*
> >
> > this will definitely help all a lot of us, now and in
> > future.
> >
> > Thanx in advance.
> >
> > Bishan
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Everything you'll ever need on one web page
> > from News and Sport to Email and Music Charts
> > http://uk.my.yahoo.com
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Tablet PC.
> > Does your code think in ink? You could win a Tablet PC.
> > Get a free Tablet PC hat just for playing. What are you waiting for?
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Tablet PC.  
> Does your code think in ink? You could win a Tablet PC. 
> Get a free Tablet PC hat just for playing. What are you waiting for? 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users