I would like to take the opportunity to present redBorder IPS, a new Ruby on Rails based Open Source project around our venerable Snort.
redBorder IPS is a self contained Linux distribution with two different roles:
As a Manager provides the following capabilities in a centralized manner:
- Event view and storage, based on Snorby with a few enhancements
- Hierarchical management of multiple sensor configurations (basic networking services, basic Snort configuration) based on Chef with our own recipes and web front end
- Very powerful rule management system (configuration, inheritance, updating, multiple feeds, …)
- SNMP monitoring for generic system capabilities (CPU Load, RAM usage, …) as well as specific Snort parameters (Alerts, KPPS, CPU, …)
- Advanced user management with roles, inheritance and auditing
As a Sensor provides the following capabilities:
- Customized and hardened CentOS 6.2 system with all needed packets
- Latest Snort & pf_ring versions
- IPS mode running on top of pf_ring with specific performance enhancements and capability to drop packets within pf_ring itself
- New IDS Forwarding mode running on top of pf_ring reflecting the packets at kernel level and sending a copy to Snort maintaining the capability to drop packets within pf_ring
- IDS mode running on top of clustered pf_ring
- In all cases, we have sponsored the enhancement of Snort DAQ to be able to analyze multiple segments from the same Snort instance and load balance between all available cores, thus granting better hardware usage
- Support for Bypass (Fail to wire) cards from Silicom
We would like to thank Sourcefire team for Snort, Dustin Webber for Snorby, the seed we needed to accomplish in time our daunting task, Luca Deri and Alfredo Cardigliano from ntop.org for their great job porting DAQ to the latest pf_rinf and some performance and clustering enhancements, Opscode team for Chef and Silicom team for their support and experience managing their great cards. Without all of them this project would not have been possible.
Of course, we would also want to give a huge thank you to Produban and Nextel, the two sponsors of all of the developments done up to now. Without them, and without their approval to release this contributions to the public this project would not exist.
All of this is available at the project website, www.redborder.net.
--
We love the fact that such a large community of IPS configurations (especially load balanced!) is springing up around Snort. This community is awesome!
Sourcefire of course warns you that using this is at your own risk and your milage may vary. We think all projects surrounding Snort are a great addition to the community.