Re: High availability design of NIDS

hello! i have been experimenting with NIDS (snort) on linux, but with
a single sensor only. I worked with snort, coupled with adodb, acid
etc, but didn't come across drdb or heartbeat. Could you please give
me pointers as to what these are, and where can I get more info on
them? Also, if you have some documentation done on the above and can
be released, it'll be useful if i can go thru it.

Am currently running snort on FC2.

Thanks and regards

John Galt


On Tue, 22 Feb 2005 18:46:52 +0100, Jose Maria Lopez Hernandez
<jkerouac@xxxxxxxxx> wrote:
> El mar, 22-02-2005 a las 17:26 +0800, Vincent IP escribió:
> > Hi all,
> >
> > I am now designing an NIDS solution. In the design, I would like to
> > include high availability (HA) feature for my NIDS solution so that when
> > one of the sensor is dead, the other (resilient) sensor can take up the
> > monitoring job automatically.
> >
> > If the NIDS is not running in stealthy mode, I think I could use the
> > Cluster service of Windows to monitor the network in HA mode. (assuming
> > both sensors can listen to all traffics in the network).
> >
> > However, if I need to run the NIDS in stealthy mode, could I also use the
> > Cluster service to monitor the network in HA mode? Are there any products
> > already enabling HA feature?
> >
> > Thank you very much.
> >
> > Regards,
> > Pong
> 
> I've installed two snort sensors logging to a MySQL database with
> internal storage, using heartbeat, drdb and some hacks, in high
> availability. But it runs under Linux. If you are interested, post
> another message and I will tell you how I did it, but you talk about
> Windows, so I don't know if you are interested in the information.
> 
> Regards.
> 
> --
> 
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac@xxxxxxxxx
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
> 
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> 
> 
> --------------------------------------------------------------------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
> 
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------