Re: High availability design of NIDS

El jue, 24-02-2005 a las 23:22 +0530, John Galt escribió:
> hello! i have been experimenting with NIDS (snort) on linux, but with
> a single sensor only. I worked with snort, coupled with adodb, acid
> etc, but didn't come across drdb or heartbeat. Could you please give
> me pointers as to what these are, and where can I get more info on
> them? Also, if you have some documentation done on the above and can
> be released, it'll be useful if i can go thru it.
> 
> Am currently running snort on FC2.
> 
> Thanks and regards
> 
> John Galt

Please read the post I have just sent to the list. It explains
the method I used to implement a high availability snort. It's
not the only method you can use, there are others. And the
really challenging thing it's to do this in active-active mode,
what we are already trying with a similar method.

The pointers you ask for are:

heartbeat: It's a system that implements the heartbeat protocol
over Linux, it has made a lot of advances lately, and it's a
very capable system, but somehow limited to active-passive mode.
The url its: http://www.linux-ha.org/

drbd: It's a system to implement a RAID-1 over the network in
a cluster of two Linux machines. It's also oriented to active-passive
mode, but it works like a charm in that configuration. It can
have two partitions synced almost in real time and it has a
heartbeat script for implementing the failovers. It can be used
successfully to replicate databases with it's C mode of operation,
that uses some kind of transaction system to check the data it's
written successfully in the other end of the system
The url its: http://www.drbd.org/

Hope it helps.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@xxxxxxxxx
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------