Snort mailing list archives

Re: Snort production setup design

From: Stephen Gantz <stephen.gantz () faculty umuc edu>
Date: Thu, 17 Dec 2015 14:43:51 -0500

I suppose you could deploy multiple Snort instances with an elastic load balancer in front to them. Works great for web 
servers so I don't know why it wouldn't work for IDS sensors. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu

On Dec 17, 2015, at 12:43 PM, Steven Dracker <steven () egifter com> wrote:

How would you make this setup HA? Looking to avoid the single point of failure.

Thanks,
Steven

From: Stephen Gantz [mailto:stephen.gantz () faculty umuc edu] 
Sent: Thursday, December 17, 2015 12:35 PM
To: Steven Dracker <steven () egifter com>
Cc: sandeep dubey <sandeep.sanash () gmail com>; Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>; snort-users () 
lists sourceforge net
Subject: Re: [Snort-users] Snort production setup design

You should be able to implement Snort as an inline IDS in your VPC by adding a Linux instance with two network 
interfaces. Install Snort on that and configure your routing tables and AWS security groups to direct all traffic to 
one interface on the Snort instance, and all downstream devices to receive traffic from the other interface. You can 
set up IP tables to handle the inbound and outbound flow through Snort just as you would on a physical dual-interface 
box. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu

On Dec 17, 2015, at 9:39 AM, Steven Dracker <steven () egifter com> wrote:

I noticed on the GitHub Security Onion Wiki that it requires a Span Port - “For a production deployment, you'll need 
a tap or SPAN/monitor port. Here are some inexpensive tap/span solutions:”. These solutions look like they are not 
compatible with AWS.

My findings are that AWS does not support Span, Tap or Mirror on their network layer to get a copy of traffic to 
inspect which is needed for Network IDS. so I am confused as to how this solution could be deployed for NIDS on AWS. 
Same thing holds true for Snort.

I have only been successful finding Host Based IDS solutions for AWS which require an Agent on each node. Either they 
do the IDS analysis on the node itself or do a “soft-tap” on the host’s network adapter (Not at the VPC Perimeter) 
and pass it to an IDS manager.

How do you do inline HIDS on AWS is my question. I am coming up with a lot of the same questions out there but no 
answers.

Thanks,
Steve

From: sandeep dubey [mailto:sandeep.sanash () gmail com] 
Sent: Thursday, December 17, 2015 9:09 AM
To: Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort production setup design

Thanks Rodgers for reply,

I am running my production environment on public cloud Amazon Web Services (AWS), where i don't have control for 
installing iso/img etc. 

Is SecurityOnion equivalent to OSSIM ?

On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov> wrote:
Can’t recommend SecurityOnion highly enough.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: sandeep dubey [mailto:sandeep.sanash () gmail com] 
Sent: Thursday, December 17, 2015 04:53
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort production setup design

Hi, 

Is it possible to install snort in IDS mode on multiple servers (AWS EC2 instances ) and have a central server where 
analysis can be done through gui and also alerts/notification can be managed like OSSEC ? 

If yes, what is the tools to use and how to move ahead?

--
Regards,
Sandeep

--
Regards,
Sandeep
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort production setup design, (continued)
- - - Re: Snort production setup design Steven Dracker (Dec 17)
    - Re: Snort production setup design sandeep dubey (Dec 17)
    - Re: Snort production setup design Davison, Charles Robert (Dec 17)
    - Re: Snort production setup design Steven Dracker (Dec 17)
    - Re: Snort production setup design Steven Dracker (Dec 17)
    - Re: Snort production setup design sandeep dubey (Dec 17)
    - Re: Snort production setup design Davison, Charles Robert (Dec 17)
    - Re: Snort production setup design sandeep dubey (Dec 18)
    - Re: Snort production setup design Stephen Gantz (Dec 17)
    - Re: Snort production setup design Steven Dracker (Dec 17)
    - Re: Snort production setup design Stephen Gantz (Dec 17)