[Snort-devel] snort distributed

Bill Guyton guyton at ...2389...
Mon Feb 7 06:38:28 EST 2005


An easier way to do this might be to combine both of snort instances into
one instance that listens to both routes/networks.

For example, if I can make the assumption that you are running two snort
instances on the same server, each monitoring the two routes you mention,
then you may be able to "bond" together both of the network interfaces you
are listening on into one network interface.  Under linux, you would use 
the "bonding" driver to create a "bond0" virtual network interface, which
would have the system effectively merge all of the network traffic from both
interfaces into one stream.  AIX (etherchannel) and Solaris (trunking) can
do this as well.

If you have a need to keep the two snort results separate, or if you need
to run them on different machines, then this would not work as well...

-Bill



On Mon, Feb 07, 2005 at 02:09:47PM +0100, Martin Muench wrote:
> Hi everyone
> 
> I'm a student from germany and searching for a interessting 
> project for my diploma.
> 
> I was playing arround with snort for a while and would like to make
> snort to a distributed system.
> 
> The problem:
> 
> Image you have a network which uses dynamic routing (in this 
> simple example 2 routes). 
> You have 2 snort sensors one in each route. Now we try to connect
> to a tcp server behind the two sensors. The three way handshake was
> going over route 1 and the stream4 preprocessor from sensor1 has the
> session it in his state-table.
> 
> When the route is changing and we are using route 2 for the rest of the
> session, the sensor2 will drop the packets cause he has no entry in his
> state table
> 
> Solution:
> 
> Hm, as far as I know, the only solution would be to implement snort as a
> distributed system (and I don't mean the place where you store logs
> and alerts from different sensors). It affects not only stream4, think
> about "get /etc/" goes over sensor1 and "passwd" over sensor2.... 
> 
> The question(s):
> 
> Well to be honest, I didn't take much time to research the snort source
> code, I just want to ask if it is possible for a experienced c
> programmer to add this feature to snort in 4 or 5 months (full time) ?
> 
> Are there any projects which are targeting this problem already ?
> 
> Any other interesting problems to solve ???
> 
> thanks
> 
> martin
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list