Snort mailing list archives

Asymmetric routing and IDS correlation ?

From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Mon, 22 Mar 2004 16:12:22 -0600 (CST)

Our border is configured with two loadshared connection between
border and core routers, using OSPF loadsharing in its default
(per-packet) mode of operation. Two redundant snort hosts each
have a dedicated, unaddresses, promiscuous-mode tap on each of
the two links.

This creates the nontrivial problem that any attempt to use
stateful features of Snort (or any other IDS) may fail because
of asymmetric routing, thus: 

       border
        |  |         +---+
        +--U---------+   + snorthost (only one of two shown)
        |  +---------+   +
        |  |         +---+
        core

If, for the sake of argument, a TCP conversation, occurs:

   Syn
         Syn/Ack
   Ack
         {banner}
   {query1}
         {response1}
   {query2}
         {response}
   Fin
         Ack
         Fin
   Ack

, and the routing and loadsharing is such that inbound traffic takes
the left-hand link and outbound the right-hand, then neither of the
two instances of snort on the snorthost will get enough information
to do even minimal correlations, let alone use "flow" and "session"
keywords.

We know we could make the two links preferred/backup, rather than 
equal-value loadshare, but that throws away half our bandwidth.

Question 1: Is there any way for snort to be smart enough to have
one instance looking at both interfaces, or to share state between
two instances?

Question 2: [sort of OT for this list] is there a standards-based way
to make two-way loadsharing "per-conversation", as it were, to obviate
this issue?

Any assistance gratefully received.

        thx,-g
-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt () io com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Asymmetric routing and IDS correlation ? Glenn Forbes Fleming Larratt (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Rich Adamson (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Josh Berry (Mar 23)
  - Re: Asymmetric routing and IDS correlation ? Jason Haar (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Dirk Geschke (Mar 24)
- Re: Asymmetric routing and IDS correlation ? Michael Richardson (Mar 25)
- <Possible follow-ups>
- RE: Asymmetric routing and IDS correlation ? Biswas, Proneet (Mar 23)