Snort mailing list archives
Snort as a host-based IDS
From: Chris Kirby <ckirby () streetviews com>
Date: Tue, 9 Oct 2001 14:55:50 -0400
We have a a server farm of about ten Windows NT4 webservers that I would like to install Snort on. Can snort be installed on win32 machines as a host-based IDS or can it only function as a network-based IDS on this particular platform? Since we do not have a lot of bandwidth pushing through (under 2mb/s), would it be better to dedicate a box as a network based IDS? Also, can snort as a host-based IDS detect filesystem changes or would I just install tripwire along with snort to get best of both worlds? One issue however is that our webservers are sitting behind F5 Load balancers and are in a switched environment. I am not sure if our switches (Cisco 2924XL) will support spanning ports or not, does anyone know? I may have to stick with host based IDS no matter what if it does not. Since our bandwidth is not high, could we get away with one Intel Pentium 3-750mhz box running Snort to monitor both the segment in front of firewall as well as the DMZ? Is there any security risk in installing a network based IDS that can bypass the firewall or does the "read-only" ethernet cable splice ensure one-way traffic only? Any comments are welcome. :) Thanks in advance! Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort as a host-based IDS Chris Kirby (Oct 09)
- <Possible follow-ups>
- RE: Snort as a host-based IDS Chris Kirby (Oct 09)
- Re: Snort as a host-based IDS Fyodor (Oct 09)
- RE: Snort as a host-based IDS Kevin Brown (Oct 11)
- RE: Snort as a host-based IDS Saad Kadhi (Oct 14)