[Snort-users] NIDS in the Cloud (was: Snort on Amazon EC2)

Eric G eric at ...15503...
Sat Jan 26 13:07:10 EST 2013


On Sat, Jan 26, 2013 at 1:31 AM, Jason Haar <Jason_Haar at ...15306...> wrote:

> I can't answer your question, but NIDS in the Cloud is difficult, so
> I've got a related question.
>
> How do people monitor EC2 networks full of Windows servers? No
> daemonlogger-and-vtun tricks will help snort there...
>
> eg is anyone instead putting up a Linux gateway and placing their
> network behind that in order to do it "better"? (ie make your snort
> server the default gateway)
>
> ...or I guess you could install snort on every host!! :-)
>

If you could set up Snort to where it can inject spoofed TCP resets when a
rule fires off further upstream from the Windows boxes (e.g. between router
hops close to the edge) then in such a network you could have Snort "along
side" the Windows boxes, monitoring the traffic but blocking only when
rules fire off

I guess there might be a timing issue with that though, because by the time
the rule's fired off the traffic's already left the network. If future
connections from the offending IP were dropped, that'd work though

--
Eric
http://www.linkedin.com/in/ericgearhart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130126/384832fa/attachment.html>


More information about the Snort-users mailing list