Snort mailing list archives
RE: Snort as a host-based IDS
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Wed, 10 Oct 2001 08:05:45 -0700
On a machine that slow you would get better performance running Linux or BSD instead of Win2k for snort/php/acid/apache and have fewer inherent vulnerabilities (e.g. IIS crap). -----Original Message----- From: Pesek Wolfgang (Mail) [mailto:WPesek () council net] Sent: Tuesday, October 09, 2001 12:55 To: 'Chris Kirby '; ''snort-users () lists sourceforge net' ' Subject: AW: [Snort-users] Snort as a host-based IDS I run a farm of 26 Webservers and snort it with a P133/64 MB running on Windows 2000 Server. Sure needs some special installation of the OS to reduce load of the cpu (disable all unneeded services and so on..) Also i log into a mysql DB and query this with ACID. Works fine on one mirrored port on our Cisco 2924XL. So from my point of view just go ahead and use an older box to run snort ! Just one little thing to say : a use a script to flush the Database when the alerts are growing above ca. 5000.. cause then you run into timeouts when querying the DB. Not sure if this is a problem with mySQL/ACID or the really old hardware. hope i could give you some points to think about.. Wolfgang -----Originalnachricht----- Von: Chris Kirby An: 'snort-users () lists sourceforge net' Gesendet: 09.10.01 20:55 Betreff: [Snort-users] Snort as a host-based IDS We have a a server farm of about ten Windows NT4 webservers that I would like to install Snort on. Can snort be installed on win32 machines as a host-based IDS or can it only function as a network-based IDS on this particular platform? Since we do not have a lot of bandwidth pushing through (under 2mb/s), would it be better to dedicate a box as a network based IDS? Also, can snort as a host-based IDS detect filesystem changes or would I just install tripwire along with snort to get best of both worlds? One issue however is that our webservers are sitting behind F5 Load balancers and are in a switched environment. I am not sure if our switches (Cisco 2924XL) will support spanning ports or not, does anyone know? I may have to stick with host based IDS no matter what if it does not. Since our bandwidth is not high, could we get away with one Intel Pentium 3-750mhz box running Snort to monitor both the segment in front of firewall as well as the DMZ? Is there any security risk in installing a network based IDS that can bypass the firewall or does the "read-only" ethernet cable splice ensure one-way traffic only? Any comments are welcome. :) Thanks in advance! Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort as a host-based IDS Chris Kirby (Oct 09)
- <Possible follow-ups>
- RE: Snort as a host-based IDS Chris Kirby (Oct 09)
- Re: Snort as a host-based IDS Fyodor (Oct 09)
- RE: Snort as a host-based IDS Kevin Brown (Oct 11)
- RE: Snort as a host-based IDS Saad Kadhi (Oct 14)