Re: Snort as a host-based IDS

[Fyodor <fygrave () tigerteam net>]

On Tue, Oct 09, 2001 at 05:17:22PM -0400, Chris Kirby wrote:
> Fair enough! :)
>
> I don't really have a dedicated machine available (yet, grin). But I do have
> a freebsd box that is a Pentium3-750 with 128mb of ram, but it is currently
> our bigrother/mrtg/syslog server. Average load times are around 0.11. 

> If our bandwidth is low (under 1mb/s), how much load will Snort add to this,

I believe the box should be able to handle this. Just don't run snort in
verbose mode as daemon :-)

> especially if I want to monitor the external and DMZ segment? Are there any
> problems that you can think of in Snort co-existing with BigBrother? I could

not that I know of.

> not entirely lock down the server because I need to get some ports open for
> the BigBrother daemon so I'm not sure if this will be a problem or not.

Wouldn't be a problem... until someone finds a new bug in BB or
something :-)

The only thing which you are risking here is having single failure point
for multiple services: syslog (means logging from all your unix servers
go here), mrtg (means snmp community strings to all your routers are
here), BigBrother and snort. If one of these elements fails, the others
get automagically 0wn3d, if you feel it's all right, then should be ok :)

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users