Snort mailing list archives

Re: IDS Topology

From: Saad Kadhi <saad () docisland org>
Date: Fri, 10 Jan 2003 07:48:07 +0100

On Thu, Jan 09, 2003 at 10:29:53PM -0600, Demetri Mouratis wrote:

Your best bet is to find a dedicated machine for the sensor.  If that's
not possible, you can just install all the components on one machine.
Several pitfalls with that approach:

- running additional servers on the sensor makes in inherently more
vulnerable

...unless  the  additional  services  are  conveniently  configured  and
secured:
  - apache with less privileges[1], listening on localhost only[2]
  - mysql with less privileges
  - services only reachable from  the  internal,  non-sniffing,  network
    card
  - ...

- database, snort, apache, ..., all competing for same system resources

barnyard + os tuning may help in this regard. but I agree that  this  is
the biggest issue imho with this kind of setup.

- no steath logging ability

why? an all-component machine doesn't necessarily imply  a  single  NIC.
you can always throw two cards at the task and  use  one  for  detection
while  hooking  the  other  to  a  secure  administration  network.  the
detection/sniffing card would be setup so that it  doesn't  have  an  IP
address.


Read some of the ACID documentation for more reasons.

in which file(s)? 

on the website, the only file I found  that  say  something  about  this
subject[3]  is  http://acidlab.sourceforge.net/acid_faq.html  and   even
there, there is little information:

  <quote>
  * When possible, run the sensor (Snort), database, and web  server  on
    separate machines. 
  </quote>

cheers.
--
[1] apache runs by default as an unprivileged user/group  on  many  *nix
    platforms. openbsd goes to the extent of chroot()-ing it by  default
    starting from openbsd 3.2
[2] to access apache from  remote  machines,  one  would  use  ssh  port
    forwarding
[3] if I missed it, I'm better off eating some carrots ;)
-- 
Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IDS Topology Saul Bosquez (Jan 09)
- Re: IDS Topology Demetri Mouratis (Jan 09)
  - Re: IDS Topology Saad Kadhi (Jan 09)
    - Re: IDS Topology Demetri Mouratis (Jan 10)
- <Possible follow-ups>
- IDS Topology Saul Bosquez (Jan 09)
  - Re: IDS Topology Erek Adams (Jan 09)
  - Re: IDS Topology Bennett Todd (Jan 10)
- RE: IDS Topology James R. Hendrick (Jan 10)
- IDS Topology Saul Bosquez (Jan 10)