[Snort-users] Snort production setup design

Steven Dracker steven at ...17402...
Thu Dec 17 09:39:52 EST 2015

I noticed on the GitHub Security Onion Wiki that it requires a Span Port - “For a production deployment, you'll need a tap or SPAN/monitor port. Here are some inexpensive tap/span solutions:”. These solutions look like they are not compatible with AWS.

My findings are that AWS does not support Span, Tap or Mirror on their network layer to get a copy of traffic to inspect which is needed for Network IDS. so I am confused as to how this solution could be deployed for NIDS on AWS. Same thing holds true for Snort.

I have only been successful finding Host Based IDS solutions for AWS which require an Agent on each node. Either they do the IDS analysis on the node itself or do a “soft-tap” on the host’s network adapter (Not at the VPC Perimeter) and pass it to an IDS manager.

How do you do inline HIDS on AWS is my question. I am coming up with a lot of the same questions out there but no answers.


From: sandeep dubey [mailto:sandeep.sanash at ...11827...]
Sent: Thursday, December 17, 2015 9:09 AM
To: Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort production setup design

Thanks Rodgers for reply,

I am running my production environment on public cloud Amazon Web Services (AWS), where i don't have control for installing iso/img etc.

Is SecurityOnion equivalent to OSSIM ?

On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...<mailto:RodgersA1 at ...17120...>> wrote:
Can’t recommend SecurityOnion highly enough.

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: sandeep dubey [mailto:sandeep.sanash at ...11827...<mailto:sandeep.sanash at ...11827...>]
Sent: Thursday, December 17, 2015 04:53
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort production setup design


Is it possible to install snort in IDS mode on multiple servers (AWS EC2 instances ) and have a central server where analysis can be done through gui and also alerts/notification can be managed like OSSEC ?

If yes, what is the tools to use and how to move ahead?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151217/8bab1494/attachment.html>

More information about the Snort-users mailing list