Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort in a H.A. environment.

From: Saad Kadhi <saad () docisland org>
Date: Mon, 20 Jan 2003 11:19:06 +0100
On Mon, Jan 20, 2003 at 10:18:44AM +0100, Federico Lombardo wrote:

I've in a production scenario a checkpoint Firewall-1 Cluster-XL Firewall in
Active-StandBy configuration.


On the active Node-1 (active) i wanna run snort, and no problems with this.
The problema I want to solve is:

How I can make possible to start snort on the other Node-2 when it became
active, and how to stop snort in Node-1 when it became standby ???

well. I think you have considered _all_ the issues involved  in  running
the ids system on the same box as the firewall. so I  won't  comment  on
this one ;-).

if you are running linux, you can use a  software  HA  package  such  as
heartbeat [1][2]. but Cluster-XL(tm) must give you  the  possibility  of
running a custom script. 

if this is the case, configure heartbeat on  each  node  to  watch  over
snort [3].

when a given Cluster-XL node fails, a custom script run by Cluster-XL on
this node will instruct the heartbeat process to declare as  failed  [4]
so that when the  other  node  become  active,  it  will  see  the  peer
heartbeat node as being down and start snort and whatever other services
you need to put in HA.

it should be noted however that heartbeat only supports two  nodes:  one
active and one passive (or  standby  if  you  prefer)  while  the  newer
versions AFAIK support multiple nodes, in LB as well as HA mode.

...and now that I think of it, you don't need heartbeat if you  can  run
custom scripts from Cluster-XL or add custom tests. in  this  case,  you
can just add snort to the list of monitored services.

in the case that Cluster-XL doesn't allow you to  run  your  home-cooked
scripts/tests, you can still use heartbeat but the two HA programs  will
be unrelated. you can have a situation where Cluster-XL active  node  is
not the heartbeat one. while ensuring that both boxen receive the trafic
you want to monitor is a requirement in this case, you may need  to  let
heartbeat watch over the things that Cluster-XL does watch in  order  to
minimize this kind of situations. but it ain't perfect.

HTH
--
[1] http://www.linux-ha.org
[2] http://www.samag.com/articles/2001/0109/
[3] whatever that means : watch the snort process, disk usage, etc.
[4] you can for example, stop snort so that heartbeat will go into  fail
    mode
-- 
Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: