[Snort-users] Load Balancing Snort Boxes
Andrew R. Baker
andrewb at ...1150...
Wed Mar 21 12:47:26 EST 2001
It is not very difficult to log the alerts using the database plugin and
a daemon that performs a second pass analysis of the data. The nice
using the database plugin is that you can store all of the packet data
Jason Robertson wrote:
> Okay a previous message, reminded me of a tread, I had going a long time
> ago, and someone implemented to a slight degree.. but not to the same
> degree as I made requests about.
> What I asked for was a multi-stage server.
> The first part of the server, would actually connect to the NIC, on the
> monitoring station and do cursory analysis such as in
> alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS";flags:PA;
> The First server would look for TCP Dest, port 27665, and packets with the
> flags PA. If a packet matches it sends to the second Server, though either
> tcp socket, unix socket, or pipe.
> The Second Server, would then parse the data, and look for the content
> "killme" and if there is a match it would log or make an alert.
> This could then have the implentation of a new flag, such as the dynamic
> alerts, except, you define the beginning and ending packets to match. So
> you can match the first syn packet, and the last fin or rst packet, and all
> data that matches such the source, dest port and IP is analysed.
> Jason Robertson
> Network Analyst
> jason at ...734...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users