Snort as a host-based IDS

[Chris Kirby <ckirby () streetviews com>]

We have a a server farm of about ten Windows NT4 webservers that I would
like to install Snort on. Can snort be installed on win32 machines as a
host-based IDS or can it only function as a network-based IDS on this
particular platform? Since we do not have a lot of bandwidth pushing through
(under 2mb/s), would it be better to dedicate a box as a network based IDS?
Also, can snort as a host-based IDS detect filesystem changes or would I
just install tripwire along with snort to get best of both worlds?

One issue however is that our webservers are sitting behind F5 Load
balancers and are in a switched environment. I am not sure if our switches
(Cisco 2924XL) will support spanning ports or not, does anyone know? I may
have to stick with host based IDS no matter what if it does not. 

Since our bandwidth is not high, could we get away with one Intel Pentium
3-750mhz box running Snort to monitor both the segment in front of firewall
as well as the DMZ? Is there any security risk in installing a network based
IDS that can bypass the firewall or does the "read-only" ethernet cable
splice ensure one-way traffic only?

Any comments are welcome. :) Thanks in advance!

Chris.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users