[Snort-users] Snort in a H.A. environment.
saad at ...4401...
Mon Jan 20 02:54:05 EST 2003
On Mon, Jan 20, 2003 at 10:50:37AM +0100, Federico Lombardo wrote:
> And why ?
> Is the only way to monitor trpassing traffic in real time.
no. that's false.
example: node1 is active. a cracker(tm) has started an intrusion attempt
on your webserver. the traffic is permitted by the firewall on node1
(handshake completed along the rules). snort has not identified yet the
session as an intrusion because the cracker may be using some evasion
technique or attack patterns are still missing. node1 fails. node2 takes
over (this takes a few seconds if not more). it starts the firewall and
snort processes. you are using state synchronisation, so the cracker
session will be allowed to proceed. snort on node2 didn't see the first
session packets so the pattern is incomplete to identify this as an
intrusion attempt. and during takeover, maybe the cracker launched other
attempts as well. ok these won't get necessarily get thru but it may
indicate a global pattern that will help you see what the cracker is
looking for. too bad, they are lost.
> Using span ports in a switch ?
> I don't think this solution will solve my problems... I've a very high
> traffic MAN.
and? if you have a so busy network, your firewalls are probably already
under a heavy load. so you want to stress them more by adding other
processes (snort and co.) that will fight for ressources with your
I don't see how running snort on a cluster (configured as
active-passive) is better than dedicating a box to snort and plug in it
on the network segments you want to monitor.
if performance is a problem, dedicate as much boxen as you need to snort
and use a hardware load balancer for example such as top layer.
if 'real time(tm)' is a problem, create IDS farms on the load balancer.
in this case, if one box in a farm fails, no pb. the traffic is still
monitored by other boxen in the same farm.
if running with a single load balancer is a problem, add another one and
configure them in active-passive mode.
> ----- Original Message -----
> From: "Patrice Boulanger" <pboulanger at ...7942...>
> To: "Federico Lombardo" <egopfe at ...125...>
> Sent: Monday, January 20, 2003 10:28 AM
> Subject: RE: [Snort-users] Snort in a H.A. environment.
> > Yes it's a stupid problem... I don't think it's a good idea to run snort
> > your firewalls !
> > -----Message d'origine-----
> > De : snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]De la part de Federico
> > Lombardo
> > Envoyé : lundi 20 janvier 2003 10:19
> > À : snort-users at lists.sourceforge.net
> > Objet : [Snort-users] Snort in a H.A. environment.
> > Hi all, I've a stupid problem.
> > I've in a production scenario a checkpoint Firewall-1 Cluster-XL Firewall
> > Active-StandBy configuration.
> > On the active Node-1 (active) i wanna run snort, and no problems with
> > The problema I want to solve is:
> > How I can make possible to start snort on the other Node-2 when it became
> > active, and how to stop snort in Node-1 when it became standby ???
> > Every solution is appreciated.
> > Regards,
> > Federico
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> > are you planning your Web Server Security? Click here to get a FREE
> > Thawte SSL guide and find the answers to all your SSL security issues.
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Saad Kadhi -- [saad at ...4401...] [saad.kadhi at ...7831...]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D]
More information about the Snort-users