[Snort-users] load balancing snort/IDS

Fyodor fygrave at ...121...
Mon Sep 25 20:46:12 EDT 2000

~ :How do I balance the traffic? In real life and also how would I really want
~ :it balanced?
~ :Would I prefer to have one machine taking care of all HTTP, another taking
~ :SMTP and another taking another protcol and so on or would I prefer to

This might work.. you can also give a try to balance traffic
`per-connection' or route tcp through one link and udp/icmp through
another. Balancing per-packet will definetely confuse snort's defragger :)

~ :divide the traffic in destination or source adresses or maybe some other
~ :load balancing algorithm.
~ :How would I solve things like scans and DoS attacks that use multiple
~ :source/destination adressses and several ports?
~ :
~ :Could I cluster snort (or another IDS) for more CPU power and do the
~ :analysis in full cluster processes? Because if I got everything right its
~ :mainly CPU that we are short of for analysis.

Wow.. clustering snort sounds fun. :) We probably should have a look into
it some day, got any opensource implementations of clustered processing to
have a look? With non-realtime tasks it's easy to implement, I have done
it once for sample password cracker in uni, but I have very slight idea
how to implement it for R/T applications. Distribution load on
round-robbin manner would be an option, but still you will have to keep a
track on various connections in this `distribution module' to make sure
parts of different connections won't go into different `processing
modules'.. any other thoughts?

~ :
~ :In a cluster solution, would I want more than one machine actually listening
~ :on the wire?

Well, if you perform balancing as well, yes, otherwise probably not.

~ :Would it be an option to let every machine sniff all the traffic (tcpdump
~ :style) and then just do the rules matching/detection on separate segments of
~ :it and combine the results?

yep.. but still parts of a single connection could go into different
segments which might be a pain for you, but probably having `traffic
preprocessor' which won't do rule-matching but just sepaprate connections
and forward them into different segments might make sense here. I think
once(if ;-)) we would be done with `input plugins' this task should be
easier to handle :)

~ :Or would I prefer that one machine gathers all the data and distributes to
~ :the separate machines for analysis of their small chosen portion.
~ :
~ :Have you put any thought into the - present or future - snort development
~ :for distributed analysis?

well, snortnet/snortdog is one of such things.. if you search list
backwards I was planning to move `logging and spooling' tasks into
snortdog  and ip traffic and detection for snort module.. maybe this model
could be extended to handle clustering architecture as well, any thoughts
are welcome of course :)

~ :I wouldn╢t personally mind a little bit more delay in the alert/response
~ :phase if it meant I could do higher bandwidths ;)
~ :


More information about the Snort-users mailing list