[Snort-users] Snort production setup design

sandeep dubey sandeep.sanash at ...11827...
Sat Dec 19 00:55:33 EST 2015


Thanks Charles for your time, efforts, explanation and details of the
solution.

If am correct, you are saying that, even if i am running my servers in
Classic mode i can create a new VPC with suggested router and configure
SIEM to collect snort logs which will be running on my individual server in
IDS mode ?


On Fri, Dec 18, 2015 at 12:58 PM, Davison, Charles Robert <
cdaviso1 at ...17214...> wrote:

> Sandeep,
>
>
>
> Sorry I did not clarify… when I was referring to VPC I was referencing the
> AWS VPC (Virtual Private Cloud), and if you apply the router that I was
> talking about before it sits on the edge of your VPC. If you don’t want to
> end up using Snort as a HIDS essentially the best thing to do is to buy
> that router and tap your traffic, inbound/outbound, of your VPC to your
> desired Snort device. The router to my knowledge supports HSRP so you could
> build redundancy between the two devices and set up your tap on each router
> to send the traffic to another VPC or a local Datacenter or anywhere you
> want. Your SIEM could then read the alerts from whatever locations you set
> up. And since you have routing redundancy with HSRP if one routing link
> fails the data would get sent to the other snort instance. Even though you
> might have separate data centers to help make this redundant you would only
> have one SIEM reading the same log data so it would put both alerting
> results into context. There are many ways to perform what you’re talking
> about but I made a simple diagram below that explains what we are talking
> about (also attached). Please forgive my lack of artistry/visio :D
>
>
>
> If you do have a SIEM you essentially get a copy of your snort logs sent
> via syslog, there is an option in the snort.conf to add a syslog server,
> and if this was at a local data center then you would not have to worry
> about storage space in AWS. And since the cisco virtual routers support
> enterprise VPNs you could tie them into your network. If you wanted to do
> HIDS as well this would be fine… you would want to install OSSEC or Samhain
> on your computer in the AWS VPC, the traffic could then get passed along
> the same way to your SIEM for interpretation of host activity. Almost
> everything in the above example could be done via open source except the
> routing part, which even if you did find an open source router I would
> recommend going with the Cisco one due to all the feature available to help
> our with redundancy. Keep in mind that this whole design would rest on the
> routers not being able to scale elastically. So as long as you are running
> a small web service you should be fine, but this would be your bottle neck,
> and you would have to manually add more routers over time to service
> requests. To my knowledge there is still not official elastic tap
> capability in AWS for the edge routing piece if there was that would be
> awesome. Hopefully this answered your questions. If not let me know what I
> am missing so I can better understand what you’re asking for.
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash at ...11827...]
> *Sent:* Thursday, December 17, 2015 9:37 PM
> *To:* Davison, Charles Robert <cdaviso1 at ...17214...>
> *Cc:* Steven Dracker <steven at ...17402...>; Rodgers, Anthony (DTMB) <
> RodgersA1 at ...17120...>; snort-users at lists.sourceforge.net
>
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> Thanks Charles and all for your opinions and suggestion.
>
>
>
> The server i am running is not in VPC mode, it is in Classic mode, this
> server is very busy and critical where i don't want to install packages
> like OpenVPN etc., however i can create a new server for this purpose if it
> works. I want to install minimal package like snort only  which will run in
> IDS mode and it's log should go to some server where i should be able to
> analyse those logs and send alerts. I want to avoid space issue on server
> or i will have to attache EBS volume to store logs locally.
>
>
>
> Performance is a big concern in this case because the servers i am running
> doesn't support load balance nor HA. It is dedicated 3 servers serving RPC
> calls. If any of the server goes down service gets impacted.
>
>
>
> I am looking for only Opensource solutions.
>
>
>
> Is it possible to install Snort on these server in NIDS mode and ship the
> logs to another server like mentioned here - *http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/
> <http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/>*.
>
> In above like it assumes all on single server, where i want snort on my
> production servers but logs and other tools mentioned should be on another
> dedicated server.
>
>
>
> Please bear with me for basic beginner questions and doubt, I am very new
> to this (security) field.
>
>
>
> Let me know your suggestion, opinions and guidelines.
>
>
>
> On Thu, Dec 17, 2015 at 8:46 PM, Davison, Charles Robert <
> cdaviso1 at ...17214...> wrote:
>
> If you want to do a true NIDS and not a HIDS on all your AWS boxes there
> are a couple of things you can do.
>
>
>
> 1.       Read this article:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
> It describes how you can utilize netsniff-ng as a virtual tap. See below
> for install instructions:
> *Installing **Netsniff-NG: *To install netsniff-ng start by the required
> dependencies:
>
> sudo apt-get install git build-essential ccache flex bison libnl-3-dev
> libnl-genl-3-dev libnl-route-3-dev libgeoip-dev libnetfilter-conntrack-dev
> libncurses5-dev liburcu-dev libnacl-dev libpcap-dev zlib1g-dev libcli-dev
> libnet1-dev
>
> Next, compile and install netsniff-ng.
>
> git clone git://github.com/netsniff-ng/netsniff-ng.git
> cd netsniff-ng
> make
> sudo make install
>
> 2.       The other option would be to buy a cisco virtual router v1000.
> This router will sit at the edge of your VPC. You can tap traffic from an
> entire VPC back to a single NIDs box/cluster, probably the easiest option
> as well. The only thing you wont be able to see is lateral movement within
> an environment since your taped traffic will only be the external
> communications. To cover your assets you will need a HIDs installed on your
> servers for lateral movement. The only downside to this scenario is that
> the router that sits on the edge does not elastically scale. The last time
> I checked the v1000’s get 1GB throughput, bidirectional, at the highest
> licensing tier. You might be able to manually add more v1000’s if you need
> to accommodate higher traffic to a particular VPC, but you might want to
> double check with Cisco on that.
>
> 3.       If you have any further questions reach out to me and I would be
> happy to help.
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash at ...11827...]
> *Sent:* Thursday, December 17, 2015 7:51 AM
> *To:* Steven Dracker <steven at ...17402...>
> *Cc:* Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...>;
> snort-users at lists.sourceforge.net
>
>
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> I have installed and configure OSSEC as agent and server for monitoring
> the system level changes like files, integrity, log monitoring, packages
> changes, ports changes etc.
>
>
>
> Not monitoring any network related stuff though.
>
>
>
> On Thu, Dec 17, 2015 at 8:09 PM, Steven Dracker <steven at ...17402...>
> wrote:
>
> I noticed on the GitHub Security Onion Wiki that it requires a Span Port
> - “For a production deployment, you'll need a tap or SPAN/monitor port.
> Here are some inexpensive tap/span solutions:”. These solutions look like
> they are not compatible with AWS.
>
>
>
> My findings are that AWS does not support Span, Tap or Mirror on their
> network layer to get a copy of traffic to inspect which is needed for
> Network IDS. so I am confused as to how this solution could be deployed for
> NIDS on AWS. Same thing holds true for Snort.
>
>
>
> I have only been successful finding Host Based IDS solutions for AWS which
> require an Agent on each node. Either they do the IDS analysis on the node
> itself or do a “soft-tap” on the host’s network adapter (Not at the VPC
> Perimeter) and pass it to an IDS manager.
>
>
>
> How do you do inline HIDS on AWS is my question. I am coming up with a lot
> of the same questions out there but no answers.
>
>
>
> Thanks,
>
> Steve
>
>
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash at ...11827...]
> *Sent:* Thursday, December 17, 2015 9:09 AM
> *To:* Rodgers, Anthony (DTMB) <RodgersA1 at ...17120...>
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Snort production setup design
>
>
>
> Thanks Rodgers for reply,
>
>
>
> I am running my production environment on public cloud Amazon Web Services
> (AWS), where i don't have control for installing iso/img etc.
>
>
>
> Is SecurityOnion equivalent to OSSIM ?
>
>
>
> On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <
> RodgersA1 at ...17120...> wrote:
>
> Can’t recommend SecurityOnion highly enough.
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
>
>
> *From:* sandeep dubey [mailto:sandeep.sanash at ...11827...]
> *Sent:* Thursday, December 17, 2015 04:53
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Snort production setup design
>
>
>
> Hi,
>
>
>
> Is it possible to install snort in IDS mode on multiple servers (AWS EC2
> instances ) and have a central server where analysis can be done through
> gui and also alerts/notification can be managed like OSSEC ?
>
>
>
> If yes, what is the tools to use and how to move ahead?
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep
>
>
>
>
>
> --
>
> Regards,
>
> Sandeep
>



-- 
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151219/f4d2276c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 26323 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151219/f4d2276c/attachment.jpg>


More information about the Snort-users mailing list