Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort production setup design

From: sandeep dubey <sandeep.sanash () gmail com>
Date: Sat, 19 Dec 2015 11:25:33 +0530
Thanks Charles for your time, efforts, explanation and details of the
solution.

If am correct, you are saying that, even if i am running my servers in
Classic mode i can create a new VPC with suggested router and configure
SIEM to collect snort logs which will be running on my individual server in
IDS mode ?


On Fri, Dec 18, 2015 at 12:58 PM, Davison, Charles Robert <
cdaviso1 () vols utk edu> wrote:


Sandeep,



Sorry I did not clarify… when I was referring to VPC I was referencing the
AWS VPC (Virtual Private Cloud), and if you apply the router that I was
talking about before it sits on the edge of your VPC. If you don’t want to
end up using Snort as a HIDS essentially the best thing to do is to buy
that router and tap your traffic, inbound/outbound, of your VPC to your
desired Snort device. The router to my knowledge supports HSRP so you could
build redundancy between the two devices and set up your tap on each router
to send the traffic to another VPC or a local Datacenter or anywhere you
want. Your SIEM could then read the alerts from whatever locations you set
up. And since you have routing redundancy with HSRP if one routing link
fails the data would get sent to the other snort instance. Even though you
might have separate data centers to help make this redundant you would only
have one SIEM reading the same log data so it would put both alerting
results into context. There are many ways to perform what you’re talking
about but I made a simple diagram below that explains what we are talking
about (also attached). Please forgive my lack of artistry/visio :D



If you do have a SIEM you essentially get a copy of your snort logs sent
via syslog, there is an option in the snort.conf to add a syslog server,
and if this was at a local data center then you would not have to worry
about storage space in AWS. And since the cisco virtual routers support
enterprise VPNs you could tie them into your network. If you wanted to do
HIDS as well this would be fine… you would want to install OSSEC or Samhain
on your computer in the AWS VPC, the traffic could then get passed along
the same way to your SIEM for interpretation of host activity. Almost
everything in the above example could be done via open source except the
routing part, which even if you did find an open source router I would
recommend going with the Cisco one due to all the feature available to help
our with redundancy. Keep in mind that this whole design would rest on the
routers not being able to scale elastically. So as long as you are running
a small web service you should be fine, but this would be your bottle neck,
and you would have to manually add more routers over time to service
requests. To my knowledge there is still not official elastic tap
capability in AWS for the edge routing piece if there was that would be
awesome. Hopefully this answered your questions. If not let me know what I
am missing so I can better understand what you’re asking for.



*From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
*Sent:* Thursday, December 17, 2015 9:37 PM
*To:* Davison, Charles Robert <cdaviso1 () vols utk edu>
*Cc:* Steven Dracker <steven () egifter com>; Rodgers, Anthony (DTMB) <
RodgersA1 () michigan gov>; snort-users () lists sourceforge net

*Subject:* Re: [Snort-users] Snort production setup design



Thanks Charles and all for your opinions and suggestion.



The server i am running is not in VPC mode, it is in Classic mode, this
server is very busy and critical where i don't want to install packages
like OpenVPN etc., however i can create a new server for this purpose if it
works. I want to install minimal package like snort only  which will run in
IDS mode and it's log should go to some server where i should be able to
analyse those logs and send alerts. I want to avoid space issue on server
or i will have to attache EBS volume to store logs locally.



Performance is a big concern in this case because the servers i am running
doesn't support load balance nor HA. It is dedicated 3 servers serving RPC
calls. If any of the server goes down service gets impacted.



I am looking for only Opensource solutions.



Is it possible to install Snort on these server in NIDS mode and ship the
logs to another server like mentioned here - *http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/
<http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-4/>*.

In above like it assumes all on single server, where i want snort on my
production servers but logs and other tools mentioned should be on another
dedicated server.



Please bear with me for basic beginner questions and doubt, I am very new
to this (security) field.



Let me know your suggestion, opinions and guidelines.



On Thu, Dec 17, 2015 at 8:46 PM, Davison, Charles Robert <
cdaviso1 () vols utk edu> wrote:

If you want to do a true NIDS and not a HIDS on all your AWS boxes there
are a couple of things you can do.



1.       Read this article:
https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
It describes how you can utilize netsniff-ng as a virtual tap. See below
for install instructions:
*Installing **Netsniff-NG: *To install netsniff-ng start by the required
dependencies:

sudo apt-get install git build-essential ccache flex bison libnl-3-dev
libnl-genl-3-dev libnl-route-3-dev libgeoip-dev libnetfilter-conntrack-dev
libncurses5-dev liburcu-dev libnacl-dev libpcap-dev zlib1g-dev libcli-dev
libnet1-dev

Next, compile and install netsniff-ng.

git clone git://github.com/netsniff-ng/netsniff-ng.git
cd netsniff-ng
make
sudo make install

2.       The other option would be to buy a cisco virtual router v1000.
This router will sit at the edge of your VPC. You can tap traffic from an
entire VPC back to a single NIDs box/cluster, probably the easiest option
as well. The only thing you wont be able to see is lateral movement within
an environment since your taped traffic will only be the external
communications. To cover your assets you will need a HIDs installed on your
servers for lateral movement. The only downside to this scenario is that
the router that sits on the edge does not elastically scale. The last time
I checked the v1000’s get 1GB throughput, bidirectional, at the highest
licensing tier. You might be able to manually add more v1000’s if you need
to accommodate higher traffic to a particular VPC, but you might want to
double check with Cisco on that.

3.       If you have any further questions reach out to me and I would be
happy to help.



*From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
*Sent:* Thursday, December 17, 2015 7:51 AM
*To:* Steven Dracker <steven () egifter com>
*Cc:* Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>;
snort-users () lists sourceforge net


*Subject:* Re: [Snort-users] Snort production setup design



I have installed and configure OSSEC as agent and server for monitoring
the system level changes like files, integrity, log monitoring, packages
changes, ports changes etc.



Not monitoring any network related stuff though.



On Thu, Dec 17, 2015 at 8:09 PM, Steven Dracker <steven () egifter com>
wrote:

I noticed on the GitHub Security Onion Wiki that it requires a Span Port
- “For a production deployment, you'll need a tap or SPAN/monitor port.
Here are some inexpensive tap/span solutions:”. These solutions look like
they are not compatible with AWS.



My findings are that AWS does not support Span, Tap or Mirror on their
network layer to get a copy of traffic to inspect which is needed for
Network IDS. so I am confused as to how this solution could be deployed for
NIDS on AWS. Same thing holds true for Snort.



I have only been successful finding Host Based IDS solutions for AWS which
require an Agent on each node. Either they do the IDS analysis on the node
itself or do a “soft-tap” on the host’s network adapter (Not at the VPC
Perimeter) and pass it to an IDS manager.



How do you do inline HIDS on AWS is my question. I am coming up with a lot
of the same questions out there but no answers.



Thanks,

Steve





*From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
*Sent:* Thursday, December 17, 2015 9:09 AM
*To:* Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov>
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort production setup design



Thanks Rodgers for reply,



I am running my production environment on public cloud Amazon Web Services
(AWS), where i don't have control for installing iso/img etc.



Is SecurityOnion equivalent to OSSIM ?



On Thu, Dec 17, 2015 at 7:03 PM, Rodgers, Anthony (DTMB) <
RodgersA1 () michigan gov> wrote:

Can’t recommend SecurityOnion highly enough.



--

Anthony Rodgers

Security Analyst

Michigan Security Operations Center (MiSOC)

DTMB, Michigan Cyber Security



*From:* sandeep dubey [mailto:sandeep.sanash () gmail com]
*Sent:* Thursday, December 17, 2015 04:53
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] Snort production setup design



Hi,



Is it possible to install snort in IDS mode on multiple servers (AWS EC2
instances ) and have a central server where analysis can be done through
gui and also alerts/notification can be managed like OSSEC ?



If yes, what is the tools to use and how to move ahead?



--

Regards,

Sandeep





--

Regards,

Sandeep





--

Regards,

Sandeep





--

Regards,

Sandeep





-- 
Regards,
Sandeep


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: