[Snort-devel] snort distributed

Martin Muench mmuench at ...1877...
Mon Feb 7 06:17:51 EST 2005

Well this is right, but as I mentioned in my first post,
I don't need a work around, I search for a programming task
(for my diploma)

Also this is will work if you are running the snort sensor 
as an normal IDS system, but you can't run it as an IPS in bridged mode
(correct me if Iam wrong).

I wan't the two sensor on two seperate machines. As far as
I know the McAfee IPS system is able to do it and I think
this is more than a "nice to have" for enterprise IDS/IPS systems

thank you


-----Ursprüngliche Nachricht-----
Von: Bill Guyton [mailto:guyton at ...2389...]
Gesendet: Montag, 7. Februar 2005 14:50
An: Martin Muench
Cc: 'snort-devel at lists.sourceforge.net'
Betreff: Re: [Snort-devel] snort distributed

An easier way to do this might be to combine both of snort instances into
one instance that listens to both routes/networks.

For example, if I can make the assumption that you are running two snort
instances on the same server, each monitoring the two routes you mention,
then you may be able to "bond" together both of the network interfaces you
are listening on into one network interface.  Under linux, you would use 
the "bonding" driver to create a "bond0" virtual network interface, which
would have the system effectively merge all of the network traffic from both
interfaces into one stream.  AIX (etherchannel) and Solaris (trunking) can
do this as well.

If you have a need to keep the two snort results separate, or if you need
to run them on different machines, then this would not work as well...


On Mon, Feb 07, 2005 at 02:09:47PM +0100, Martin Muench wrote:
> Hi everyone
> I'm a student from germany and searching for a interessting 
> project for my diploma.
> I was playing arround with snort for a while and would like to make
> snort to a distributed system.
> The problem:
> Image you have a network which uses dynamic routing (in this 
> simple example 2 routes). 
> You have 2 snort sensors one in each route. Now we try to connect
> to a tcp server behind the two sensors. The three way handshake was
> going over route 1 and the stream4 preprocessor from sensor1 has the
> session it in his state-table.
> When the route is changing and we are using route 2 for the rest of the
> session, the sensor2 will drop the packets cause he has no entry in his
> state table
> Solution:
> Hm, as far as I know, the only solution would be to implement snort as a
> distributed system (and I don't mean the place where you store logs
> and alerts from different sensors). It affects not only stream4, think
> about "get /etc/" goes over sensor1 and "passwd" over sensor2.... 
> The question(s):
> Well to be honest, I didn't take much time to research the snort source
> code, I just want to ask if it is possible for a experienced c
> programmer to add this feature to snort in 4 or 5 months (full time) ?
> Are there any projects which are targeting this problem already ?
> Any other interesting problems to solve ???
> thanks
> martin
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list