Snort mailing list archives
Re: Snort in a H.A. environment.
From: Saad Kadhi <saad () docisland org>
Date: Mon, 20 Jan 2003 11:19:06 +0100
On Mon, Jan 20, 2003 at 10:18:44AM +0100, Federico Lombardo wrote:
I've in a production scenario a checkpoint Firewall-1 Cluster-XL Firewall in Active-StandBy configuration. On the active Node-1 (active) i wanna run snort, and no problems with this. The problema I want to solve is: How I can make possible to start snort on the other Node-2 when it became active, and how to stop snort in Node-1 when it became standby ???
well. I think you have considered _all_ the issues involved in running the ids system on the same box as the firewall. so I won't comment on this one ;-). if you are running linux, you can use a software HA package such as heartbeat [1][2]. but Cluster-XL(tm) must give you the possibility of running a custom script. if this is the case, configure heartbeat on each node to watch over snort [3]. when a given Cluster-XL node fails, a custom script run by Cluster-XL on this node will instruct the heartbeat process to declare as failed [4] so that when the other node become active, it will see the peer heartbeat node as being down and start snort and whatever other services you need to put in HA. it should be noted however that heartbeat only supports two nodes: one active and one passive (or standby if you prefer) while the newer versions AFAIK support multiple nodes, in LB as well as HA mode. ...and now that I think of it, you don't need heartbeat if you can run custom scripts from Cluster-XL or add custom tests. in this case, you can just add snort to the list of monitored services. in the case that Cluster-XL doesn't allow you to run your home-cooked scripts/tests, you can still use heartbeat but the two HA programs will be unrelated. you can have a situation where Cluster-XL active node is not the heartbeat one. while ensuring that both boxen receive the trafic you want to monitor is a requirement in this case, you may need to let heartbeat watch over the things that Cluster-XL does watch in order to minimize this kind of situations. but it ain't perfect. HTH -- [1] http://www.linux-ha.org [2] http://www.samag.com/articles/2001/0109/ [3] whatever that means : watch the snort process, disk usage, etc. [4] you can for example, stop snort so that heartbeat will go into fail mode -- Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr] [pgp keyid: 35592A6D http://pgp.mit.edu] [pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D] --- ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Glenn Forbes Fleming Larratt (Jan 20)
- Re: Snort in a H.A. environment. Erek Adams (Jan 20)
- Re: Snort in a H.A. environment. Bennett Todd (Jan 21)
- <Possible follow-ups>
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)