[Snort-users] Snort production setup design
steven at ...17402...
Thu Dec 17 09:39:52 EST 2015
I noticed on the GitHub Security Onion Wiki that it requires a Span Port - “For a production deployment, you'll need a tap or SPAN/monitor port. Here are some inexpensive tap/span solutions:”. These solutions look like they are not compatible with AWS.
My findings are that AWS does not support Span, Tap or Mirror on their network layer to get a copy of traffic to inspect which is needed for Network IDS. so I am confused as to how this solution could be deployed for NIDS on AWS. Same thing holds true for Snort.
I have only been successful finding Host Based IDS solutions for AWS which require an Agent on each node. Either they do the IDS analysis on the node itself or do a “soft-tap” on the host’s network adapter (Not at the VPC Perimeter) and pass it to an IDS manager.
How do you do inline HIDS on AWS is my question. I am coming up with a lot of the same questions out there but no answers.
From: sandeep dubey [mailto:sandeep.sanash at ...11827...]
Sent: Thursday, December 17, 2015 9:09 AM
To: Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort production setup design
Thanks Rodgers for reply,
I am running my production environment on public cloud Amazon Web Services (AWS), where i don't have control for installing iso/img etc.
Is SecurityOnion equivalent to OSSIM ?
On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...<mailto:RodgersA1 at ...17120...>> wrote:
Can’t recommend SecurityOnion highly enough.
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security
From: sandeep dubey [mailto:sandeep.sanash at ...11827...<mailto:sandeep.sanash at ...11827...>]
Sent: Thursday, December 17, 2015 04:53
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort production setup design
Is it possible to install snort in IDS mode on multiple servers (AWS EC2 instances ) and have a central server where analysis can be done through gui and also alerts/notification can be managed like OSSEC ?
If yes, what is the tools to use and how to move ahead?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users