[Snort-users] load balancing snort/IDS

Dragos Ruiu dr at ...381...
Mon Sep 25 18:30:08 EDT 2000


All good questions. In reply:

A short term version of this with static process
configuration can be acheived by using multiple
snorts on multiple machines.

By appropriate rules check distribution onto multiple
machines you could manully load balance the machines.
E.g. put the web checks on one machine put the
SMTP ones on another... etc...

I have a hunch (well maybe a little more than a hunch :-)  that
there are some better ways to do this too... that we will be seeing 
announced shortly ;-) as well as the Top Layer switch solution 
you discussed. 

cheers,
--dr

On Mon, 25 Sep 2000, Erik Engberg wrote:
> A little bit off topic but I wanted to know if anyone has any experience in
> load balancing NIDS on heavy trafficked lines like a congested 100Mbit or
> even a gigabit line.
> 
> I have thought about doing some balancing with layer7 switches. There are
> several available like Alteon (preferable for us), Foundry and Arrowpoint.
> Also there is a company called Top Level that markets a layer7 switch as a
> IDS load balancer, anyone tried that one?
> 
> Some of the questions that will undoubtedly arise are...
> 
> How do I balance the traffic? In real life and also how would I really want
> it balanced?
> Would I prefer to have one machine taking care of all HTTP, another taking
> SMTP and another taking another protcol and so on or would I prefer to
> divide the traffic in destination or source adresses or maybe some other
> load balancing algorithm.
> How would I solve things like scans and DoS attacks that use multiple
> source/destination adressses and several ports?
> 
> Could I cluster snort (or another IDS) for more CPU power and do the
> analysis in full cluster processes? Because if I got everything right its
> mainly CPU that we are short of for analysis.
> 
> In a cluster solution, would I want more than one machine actually listening
> on the wire?
> Would it be an option to let every machine sniff all the traffic (tcpdump
> style) and then just do the rules matching/detection on separate segments of
> it and combine the results?
> Or would I prefer that one machine gathers all the data and distributes to
> the separate machines for analysis of their small chosen portion.
> 
> Have you put any thought into the - present or future - snort development
> for distributed analysis?
> 
> I wouldn´t personally mind a little bit more delay in the alert/response
> phase if it meant I could do higher bandwidths ;)
> 
> /Erik
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list