[Snort-users] Load Balancing Snort Boxes

Andrew R. Baker andrewb at ...1150...
Wed Mar 21 12:47:26 EST 2001


It is not very difficult to log the alerts using the database plugin and
then create
a daemon that performs a second pass analysis of the data.  The nice
thing about
using the database plugin is that you can store all of the packet data
with the 
alert.

-A

Jason Robertson wrote:
> 
> Okay a previous message, reminded me of a tread, I had going a long time
> ago, and someone implemented to a slight degree.. but not to the same
> degree as I made requests about.
> 
> What I asked for was a multi-stage server.
> The first part of the server, would actually connect to the NIC, on the
> monitoring station and do cursory analysis such as in
> 
> alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS";flags:PA;
> content:"killme";)
> 
> The First server would look for TCP Dest, port 27665, and packets with the
> flags PA.  If a packet matches it sends to the second Server, though either
> tcp socket, unix socket, or pipe.
> 
> The Second Server, would then parse the data, and look for the content
> "killme" and if there is a match it would log or make an alert.
> 
> This could then have the implentation of a new flag, such as the dynamic
> alerts, except, you define the beginning and ending packets to match.  So
> you can match the first syn packet, and the last fin or rst packet, and all
> data that matches such the source, dest port and IP is analysed.
> 
> Jason
> 
> ---
> Jason Robertson
> Network Analyst
> jason at ...734...
> http://www.astroadvice.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list