Re: Snort production setup design

[sandeep dubey <sandeep.sanash () gmail com>]

Thanks Charles and all for your opinions and suggestion.

The server i am running is not in VPC mode, it is in Classic mode, this
server is very busy and critical where i don't want to install packages
like OpenVPN etc., however i can create a new server for this purpose if it
works. I want to install minimal package like snort only  which will run in
IDS mode and it's log should go to some server where i should be able to
analyse those logs and send alerts. I want to avoid space issue on server
or i will have to attache EBS volume to store logs locally.

Performance is a big concern in this case because the servers i am running
doesn't support load balance nor HA. It is dedicated 3 servers serving RPC
calls. If any of the server goes down service gets impacted.

I am looking for only Opensource solutions.

Is it possible to install Snort on these server in NIDS mode and ship the
logs to another server like mentioned here -
*http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/
<http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/>*.
In above like it assumes all on single server, where i want snort on my
production servers but logs and other tools mentioned should be on another
dedicated server.

Please bear with me for basic beginner questions and doubt, I am very new
to this (security) field.

Let me know your suggestion, opinions and guidelines.

On Thu, Dec 17, 2015 at 8:46 PM, Davison, Charles Robert <
cdaviso1 () vols utk edu> wrote:

> If you want to do a true NIDS and not a HIDS on all your AWS boxes there
> are a couple of things you can do.
>
>
>
> 1.       Read this article:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
> It describes how you can utilize netsniff-ng as a virtual tap. See below
> for install instructions:
> *Installing **Netsniff-NG: *To install netsniff-ng start by the required
> dependencies:
>
> sudo apt-get install git build-essential ccache flex bison libnl-3-dev
> libnl-genl-3-dev libnl-route-3-dev libgeoip-dev libnetfilter-conntrack-dev
> libncurses5-dev liburcu-dev libnacl-dev libpcap-dev zlib1g-dev libcli-dev
> libnet1-dev
>
> Next, compile and install netsniff-ng.
>
> git clone git://github.com/netsniff-ng/netsniff-ng.git
> cd netsniff-ng
> make
> sudo make install
>
> 2.       The other option would be to buy a cisco virtual router v1000.
> This router will sit at the edge of your VPC. You can tap traffic from an
> entire VPC back to a single NIDs box/cluster, probably the easiest option
> as well. The only thing you wont be able to see is lateral movement within
> an environment since your taped traffic will only be the external
> communications. To cover your assets you will need a HIDs installed on your
> servers for lateral movement. The only downside to this scenario is that
> the router that sits on the edge does not elastically scale. The last time
> I checked the v1000’s get 1GB throughput, bidirectional, at the highest
> licensing tier. You might be able to manually add more v1000’s if you need
> to accommodate higher traffic to a particular VPC, but you might want to
> double check with Cisco on that.
>
> 3.       If you have any further questions reach out to me and I would be
> happy to help.
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
> *Sent:* Thursday, December 17, 2015 7:51 AM
> *To:* Steven Dracker <steven () egifter com>
> *Cc:* Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>;
> snort-users () lists sourceforge net
>
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> I have installed and configure OSSEC as agent and server for monitoring
> the system level changes like files, integrity, log monitoring, packages
> changes, ports changes etc.
>
>
>
> Not monitoring any network related stuff though.
>
>
>
> On Thu, Dec 17, 2015 at 8:09 PM, Steven Dracker <steven () egifter com>
> wrote:
>
> I noticed on the GitHub Security Onion Wiki that it requires a Span Port
> - “For a production deployment, you'll need a tap or SPAN/monitor port.
> Here are some inexpensive tap/span solutions:”. These solutions look like
> they are not compatible with AWS.
>
>
>
> My findings are that AWS does not support Span, Tap or Mirror on their
> network layer to get a copy of traffic to inspect which is needed for
> Network IDS. so I am confused as to how this solution could be deployed for
> NIDS on AWS. Same thing holds true for Snort.
>
>
>
> I have only been successful finding Host Based IDS solutions for AWS which
> require an Agent on each node. Either they do the IDS analysis on the node
> itself or do a “soft-tap” on the host’s network adapter (Not at the VPC
> Perimeter) and pass it to an IDS manager.
>
>
>
> How do you do inline HIDS on AWS is my question. I am coming up with a lot
> of the same questions out there but no answers.
>
>
>
> Thanks,
>
> Steve
>
>
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
> *Sent:* Thursday, December 17, 2015 9:09 AM
> *To:* Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> Thanks Rodgers for reply,
>
>
>
> I am running my production environment on public cloud Amazon Web Services
> (AWS), where i don't have control for installing iso/img etc.
>
>
>
> Is SecurityOnion equivalent to OSSIM ?
>
>
>
> On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <
> RodgersA1 () michigan gov> wrote:
>
> Can’t recommend SecurityOnion highly enough.
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
> *Sent:* Thursday, December 17, 2015 04:53
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Snort production setup design
>
>
>
> Hi,
>
>
>
> Is it possible to install snort in IDS mode on multiple servers (AWS EC2
> instances ) and have a central server where analysis can be done through
> gui and also alerts/notification can be managed like OSSEC ?
>
>
>
> If yes, what is the tools to use and how to move ahead?
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep



-- 
Regards,
Sandeep

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!