[Snort-users] Load Balancing Snort Boxes

Jason Robertson jason at ...734...
Tue Mar 20 14:55:05 EST 2001


Okay a previous message, reminded me of a tread, I had going a long time 
ago, and someone implemented to a slight degree.. but not to the same 
degree as I made requests about.

What I asked for was a multi-stage server.
The first part of the server, would actually connect to the NIC, on the 
monitoring station and do cursory analysis such as in

alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS";flags:PA; 
content:"killme";)

The First server would look for TCP Dest, port 27665, and packets with the 
flags PA.  If a packet matches it sends to the second Server, though either 
tcp socket, unix socket, or pipe.

The Second Server, would then parse the data, and look for the content 
"killme" and if there is a match it would log or make an alert.

This could then have the implentation of a new flag, such as the dynamic 
alerts, except, you define the beginning and ending packets to match.  So 
you can match the first syn packet, and the last fin or rst packet, and all 
data that matches such the source, dest port and IP is analysed.

Jason

---
Jason Robertson                
Network Analyst            
jason at ...734...    
http://www.astroadvice.com      




More information about the Snort-users mailing list