LiveIDS

An image is built to provide IDS monitoring to sensor devices throughout the Network cloud.

These devices power up, boot from the network and load the image from the Head Office.
The device picks up a pre-assigned IP address from the DHCP server, and then loads via TFTP the LiveIDS image.
After the operating systerm is loaded, the sensor syncs with the WebJob server to receive the latest configuration files.
It then starts the required services.
The Snort configuration files are managed on the WebJob server.
The WebJob server maintains a directory structure for files that are common to all sensors and also files that are specific to the individual sensors.
Each sensor monitors for changes to these directories every five minutes and syncs the files when there is a change and restarts the appropriate service.
Each sensor reports all IDS Snort events and all IP Header events to Head Office using Snort and pmacct.
Each sensor is also configured to report all SNMP, and Syslog events to the Centralized environment.
A monitoring collector (munin) is also executed every five minutes to receive appropriate counters from each sensor.
Nagios is used to monitor each device.
Current deployment maintains 16 Sensors