Re: NIDS in the Cloud (was: Snort on Amazon EC2)

[Eric G <eric () nixwizard net>]

On Sat, Jan 26, 2013 at 1:31 AM, Jason Haar <Jason_Haar () trimble com> wrote:

> I can't answer your question, but NIDS in the Cloud is difficult, so
> I've got a related question.
>
> How do people monitor EC2 networks full of Windows servers? No
> daemonlogger-and-vtun tricks will help snort there...
>
> eg is anyone instead putting up a Linux gateway and placing their
> network behind that in order to do it "better"? (ie make your snort
> server the default gateway)
>
> ...or I guess you could install snort on every host!! :-)

If you could set up Snort to where it can inject spoofed TCP resets when a
rule fires off further upstream from the Windows boxes (e.g. between router
hops close to the edge) then in such a network you could have Snort "along
side" the Windows boxes, monitoring the traffic but blocking only when
rules fire off

I guess there might be a timing issue with that though, because by the time
the rule's fired off the traffic's already left the network. If future
connections from the offending IP were dropped, that'd work though

--
Eric
http://www.linkedin.com/in/ericgearhart

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!