[Snort-devel] snort distributed

Guthrie, Jeremy jeremy.guthrie at ...276...
Mon Feb 7 05:58:08 EST 2005

Myself and some others have worked around this problem using what we call an IDS load balancer.  It can take in multiple feeds and stream them to the right sensor.  I'll hopefully have the howto finished in the next week or so.

Jeremy M. Guthrie        jeremy.guthrie at ...276...
Senior Network Engineer        Phone: 608-298-1061
Berbee                           Fax: 608-288-3007
5520 Research Park Drive         NOC: 608-298-1102
Madison, WI 53711

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net on behalf of Martin Muench
Sent: Mon 2/7/2005 7:09 AM
To: 'snort-devel at lists.sourceforge.net'
Subject: [Snort-devel] snort distributed
Hi everyone

I'm a student from germany and searching for a interessting 
project for my diploma.

I was playing arround with snort for a while and would like to make
snort to a distributed system.

The problem:

Image you have a network which uses dynamic routing (in this 
simple example 2 routes). 
You have 2 snort sensors one in each route. Now we try to connect
to a tcp server behind the two sensors. The three way handshake was
going over route 1 and the stream4 preprocessor from sensor1 has the
session it in his state-table.

When the route is changing and we are using route 2 for the rest of the
session, the sensor2 will drop the packets cause he has no entry in his
state table


Hm, as far as I know, the only solution would be to implement snort as a
distributed system (and I don't mean the place where you store logs
and alerts from different sensors). It affects not only stream4, think
about "get /etc/" goes over sensor1 and "passwd" over sensor2.... 

The question(s):

Well to be honest, I didn't take much time to research the snort source
code, I just want to ask if it is possible for a experienced c
programmer to add this feature to snort in 4 or 5 months (full time) ?

Are there any projects which are targeting this problem already ?

Any other interesting problems to solve ???



This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list