Re: Snort production setup design

[sandeep dubey <sandeep.sanash () gmail com>]

I have installed and configure OSSEC as agent and server for monitoring the
system level changes like files, integrity, log monitoring, packages
changes, ports changes etc.

Not monitoring any network related stuff though.

On Thu, Dec 17, 2015 at 8:09 PM, Steven Dracker <steven () egifter com> wrote:

> I noticed on the GitHub Security Onion Wiki that it requires a Span Port
> - “For a production deployment, you'll need a tap or SPAN/monitor port.
> Here are some inexpensive tap/span solutions:”. These solutions look like
> they are not compatible with AWS.
>
>
>
> My findings are that AWS does not support Span, Tap or Mirror on their
> network layer to get a copy of traffic to inspect which is needed for
> Network IDS. so I am confused as to how this solution could be deployed for
> NIDS on AWS. Same thing holds true for Snort.
>
>
>
> I have only been successful finding Host Based IDS solutions for AWS which
> require an Agent on each node. Either they do the IDS analysis on the node
> itself or do a “soft-tap” on the host’s network adapter (Not at the VPC
> Perimeter) and pass it to an IDS manager.
>
>
>
> How do you do inline HIDS on AWS is my question. I am coming up with a lot
> of the same questions out there but no answers.
>
>
>
> Thanks,
>
> Steve
>
>
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
> *Sent:* Thursday, December 17, 2015 9:09 AM
> *To:* Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> Thanks Rodgers for reply,
>
>
>
> I am running my production environment on public cloud Amazon Web Services
> (AWS), where i don't have control for installing iso/img etc.
>
>
>
> Is SecurityOnion equivalent to OSSIM ?
>
>
>
> On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <
> RodgersA1 () michigan gov> wrote:
>
> Can’t recommend SecurityOnion highly enough.
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
> *Sent:* Thursday, December 17, 2015 04:53
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Snort production setup design
>
>
>
> Hi,
>
>
>
> Is it possible to install snort in IDS mode on multiple servers (AWS EC2
> instances ) and have a central server where analysis can be done through
> gui and also alerts/notification can be managed like OSSEC ?
>
>
>
> If yes, what is the tools to use and how to move ahead?
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep



-- 
Regards,
Sandeep

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!