Snort mailing list archives
RE: Snort as a host-based IDS
From: Saad Kadhi <bsdguy () noos fr>
Date: 15 Oct 2001 07:45:52 +0200
On Wed, 2001-10-10 at 17:05, Kevin Brown wrote:
On a machine that slow you would get better performance running Linux or BSD instead of Win2k for snort/php/acid/apache and have fewer inherent vulnerabilities (e.g. IIS crap).
I agree with this. My personal preference goes to OpenBSD because: 1. it's very easy to setup 2. secure operating system 3. coherent stuff 4. a true workhorse even on old machines after some kernel tweaking But I don't see any point to have snort as a HIDS. It doesn't make sense to me. a HIDS is more on the OS/users behavior/filesystem change than on the what-is-that-weird-traffic-thru-the-wire. Snort "analyzes" only the latter. Then better run snort on a dedicated box if you are interested in watching the wire :)
-----Original Message----- From: Pesek Wolfgang (Mail) [mailto:WPesek () council net] Sent: Tuesday, October 09, 2001 12:55 To: 'Chris Kirby '; ''snort-users () lists sourceforge net' ' Subject: AW: [Snort-users] Snort as a host-based IDS I run a farm of 26 Webservers and snort it with a P133/64 MB running on Windows 2000 Server. Sure needs some special installation of the OS to reduce load of the cpu (disable all unneeded services and so on..) Also i log into a mysql DB and query this with ACID. Works fine on one mirrored port on our Cisco 2924XL. So from my point of view just go ahead and use an older box to run snort ! Just one little thing to say : a use a script to flush the Database when the alerts are growing above ca. 5000.. cause then you run into timeouts when querying the DB. Not sure if this is a problem with mySQL/ACID or the really old hardware. hope i could give you some points to think about.. Wolfgang -----Originalnachricht----- Von: Chris Kirby An: 'snort-users () lists sourceforge net' Gesendet: 09.10.01 20:55 Betreff: [Snort-users] Snort as a host-based IDS We have a a server farm of about ten Windows NT4 webservers that I would like to install Snort on. Can snort be installed on win32 machines as a host-based IDS or can it only function as a network-based IDS on this particular platform? Since we do not have a lot of bandwidth pushing through (under 2mb/s), would it be better to dedicate a box as a network based IDS? Also, can snort as a host-based IDS detect filesystem changes or would I just install tripwire along with snort to get best of both worlds? One issue however is that our webservers are sitting behind F5 Load balancers and are in a switched environment. I am not sure if our switches (Cisco 2924XL) will support spanning ports or not, does anyone know? I may have to stick with host based IDS no matter what if it does not. Since our bandwidth is not high, could we get away with one Intel Pentium 3-750mhz box running Snort to monitor both the segment in front of firewall as well as the DMZ? Is there any security risk in installing a network based IDS that can bypass the firewall or does the "read-only" ethernet cable splice ensure one-way traffic only? Any comments are welcome. :) Thanks in advance! Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- /saad [put your signature here] self-customize-sig(tm). another dumb patent... nodisclaimer _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort as a host-based IDS Chris Kirby (Oct 09)
- <Possible follow-ups>
- RE: Snort as a host-based IDS Chris Kirby (Oct 09)
- Re: Snort as a host-based IDS Fyodor (Oct 09)
- RE: Snort as a host-based IDS Kevin Brown (Oct 11)
- RE: Snort as a host-based IDS Saad Kadhi (Oct 14)