Re: Snort production setup design

[Steven Dracker <steven () egifter com>]

Thanks for the response!

Option 1 works in a similar way to Alert Logic Threat Manager for AWS.

The Option 2 approach I had not considered. I would have to look at pricing and scalability limitations but this sounds 
more like the kind of solution I am looking for.  We already have HIDS on each node so we are cove3red laterally.

Regards,
Steven
From: Davison, Charles Robert [mailto:cdaviso1 () vols utk edu]
Sent: Thursday, December 17, 2015 10:17 AM
To: sandeep dubey <sandeep.sanash () gmail com>; Steven Dracker <steven () egifter com>
Cc: Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort production setup design

If you want to do a true NIDS and not a HIDS on all your AWS boxes there are a couple of things you can do.


1.       Read this article: https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient It describes 
how you can utilize netsniff-ng as a virtual tap. See below for install instructions:

Installing Netsniff-NG: To install netsniff-ng start by the required dependencies:

sudo apt-get install git build-essential ccache flex bison libnl-3-dev libnl-genl-3-dev libnl-route-3-dev libgeoip-dev 
libnetfilter-conntrack-dev libncurses5-dev liburcu-dev libnacl-dev libpcap-dev zlib1g-dev libcli-dev libnet1-dev

Next, compile and install netsniff-ng.

git clone git://github.com/netsniff-ng/netsniff-ng.git
cd netsniff-ng
make
sudo make install

2.       The other option would be to buy a cisco virtual router v1000. This router will sit at the edge of your VPC. 
You can tap traffic from an entire VPC back to a single NIDs box/cluster, probably the easiest option as well. The only 
thing you wont be able to see is lateral movement within an environment since your taped traffic will only be the 
external communications. To cover your assets you will need a HIDs installed on your servers for lateral movement. The 
only downside to this scenario is that the router that sits on the edge does not elastically scale. The last time I 
checked the v1000’s get 1GB throughput, bidirectional, at the highest licensing tier. You might be able to manually add 
more v1000’s if you need to accommodate higher traffic to a particular VPC, but you might want to double check with 
Cisco on that.

3.       If you have any further questions reach out to me and I would be happy to help.

From: sandeep dubey [mailto:sandeep.sanash () gmail com]
Sent: Thursday, December 17, 2015 7:51 AM
To: Steven Dracker <steven () egifter com<mailto:steven () egifter com>>
Cc: Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>>; snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort production setup design

I have installed and configure OSSEC as agent and server for monitoring the system level changes like files, integrity, 
log monitoring, packages changes, ports changes etc.

Not monitoring any network related stuff though.

On Thu, Dec 17, 2015 at 8:09 PM, Steven Dracker <steven () egifter com<mailto:steven () egifter com>> wrote:
I noticed on the GitHub Security Onion Wiki that it requires a Span Port - “For a production deployment, you'll need a 
tap or SPAN/monitor port. Here are some inexpensive tap/span solutions:”. These solutions look like they are not 
compatible with AWS.

My findings are that AWS does not support Span, Tap or Mirror on their network layer to get a copy of traffic to 
inspect which is needed for Network IDS. so I am confused as to how this solution could be deployed for NIDS on AWS. 
Same thing holds true for Snort.

I have only been successful finding Host Based IDS solutions for AWS which require an Agent on each node. Either they 
do the IDS analysis on the node itself or do a “soft-tap” on the host’s network adapter (Not at the VPC Perimeter) and 
pass it to an IDS manager.

How do you do inline HIDS on AWS is my question. I am coming up with a lot of the same questions out there but no 
answers.

Thanks,
Steve


From: sandeep dubey [mailto:sandeep.sanash () gmail com<mailto:sandeep.sanash () gmail com>]
Sent: Thursday, December 17, 2015 9:09 AM
To: Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort production setup design

Thanks Rodgers for reply,

I am running my production environment on public cloud Amazon Web Services (AWS), where i don't have control for 
installing iso/img etc.

Is SecurityOnion equivalent to OSSIM ?

On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> 
wrote:
Can’t recommend SecurityOnion highly enough.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: sandeep dubey [mailto:sandeep.sanash () gmail com<mailto:sandeep.sanash () gmail com>]
Sent: Thursday, December 17, 2015 04:53
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Snort production setup design

Hi,

Is it possible to install snort in IDS mode on multiple servers (AWS EC2 instances ) and have a central server where 
analysis can be done through gui and also alerts/notification can be managed like OSSEC ?

If yes, what is the tools to use and how to move ahead?

--
Regards,
Sandeep



--
Regards,
Sandeep



--
Regards,
Sandeep

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!