[Snort-users] Multiple instances of Snort

Micheal Cottingham micheal.cottingham at ...12474...
Fri Sep 24 11:43:16 EDT 2004

Rich Adamson wrote:

>>In short, here's what I'd like to do:
>>I am a security technician for a college, and the college runs a public 
>>cyber cafe. We also offer wireless access. One of the problems is that 
>>there is little auditing in place for the wireless users. I'd like to 
>>setup IAS (I have to use Windows, otherwise I'd use freeradius.org), but 
>>there is no "nice" frontend for IAS. I'm thinking I could use MySQL and 
>>PHP and exec() IAS's command line options since IAS does not yet have 
>>scripting support. Here's where Snort would come in. Snort would log the 
>>packets coming to and from a user, and if something fires a filter in 
>>Snort, it would alert the cyber cafe monitor, and based on the 
>>severity/number of alerts for the user, the cyber cafe monitor could 
>>kill the session for the user. So, I'd like to fork Snort for each user. 
>>I don't expect more than say 5 wireless users at a time, but of course 
>>the more that I can get the application and Snort to scale, the better. 
>>My question is how well would Snort handle in such an environment with 
>>regards to resources, or is something like this even possible currently? 
>There are lots of very different ways to handle wireless stuff, and snort
>can do a piece of that. Not sure I understand why you want multiple
>instances of snort running, but I have several Win32 machines running
>with multiple snort "services", each monitoring via a different nic
>card. Works rather well, however I'd have to guess it wouldn't handle
>high volume traffic all that well. Never tested, so not 100% positive.
>Another approach is to use static IP's on each wireless unit, and if
>someone tries to access via dhcp, hand them an IP and default gateway
>that leads to a honeypot with alerting capability. Mapping mac addresses
>to IP's also has some value as well.
Thanks for the reply. The reason I want multiple instances of Snort (and 
maybe I'm overthinking this, I don't know) is so that I can have the 
alert packets logged to mysql and/or the filesystem for that user. 
Here's (hopefully) a better explanation.

1. A user registers for the first time and they are given their username 
and password that lasts for say 3 hours. Or, they have already 
registered, and they are given their username and password that lasts x 
2. Once they sign in, I would fork Snort for that user's session. Snort 
would just be running in NIDS mode. Then I have a ruleset that detects 
an attempt to  say have a Bitorrent server running off of the user's 
laptop. An alert would fire, and the lab monitor would see it, and based 
on our policy, wait to see if anything more happens or immediately kill 
the session for that user. We can later go back and run a report and 
tell those higher-up that this person was doing x at y time.
3. However, during that time, another user signs in and is given their 
temporary username and password.
4. Another Snort process is started, and is monitoring only them. 
However, if we only had a single Snort process, and though Snort does 
log for the various IP addresses, we would have a more difficult time 
tracking down which IP address belongs to which user. Unfortunately 
static IP addresses are not an option.

That's my reasoning behind the forking anyway.

Micheal Cottingham, Comptia A+
micheal.cottingham at ...12474...

More information about the Snort-users mailing list