Re: Snort - VPS web server (Debian)

[Mike Lococo <mikelococo () gmail com>]

On 08/28/2011 03:00 PM, Martin Holste wrote:
> On such a small server and with such a specific use, I'm not sure
> running Snort is the right tool for the job.  I think mod_security
> with centralized logging would be a better fit, especially since it's
> serving mostly static content.

I would reiterate that Snort is probably a poor match for this 
environment.  You say "mostly" dynamic, but are you running a DB at all? 
  You're going to need 32-64MB of memory for that.  Do you run PHP? 
Another 30-120MB depending on the application and the number of 
processes you use serve active content.  You may end up needing a second 
VPS just to run Snort, and needing to have it do packet forwarding to 
the web-server.

Is anyone actually running Snort with a memory footprint of 128MB or 
less?  Most of my experience is with fairly large high-throughput 
setups, so maybe I have a warped view of how little RAM Snort can take 
at the low end.

As mentioned, mod-security will let you do signature-based blocking of 
http attacks (the kind that really matter for a web-server) in just a 
couple of megs of ram and there are some rulesets that I believe are 
decent out there like the owasp set.

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!