Snort mailing list archives
Re: IDS Topology
From: Saad Kadhi <saad () docisland org>
Date: Fri, 10 Jan 2003 07:48:07 +0100
On Thu, Jan 09, 2003 at 10:29:53PM -0600, Demetri Mouratis wrote:
Your best bet is to find a dedicated machine for the sensor. If that's not possible, you can just install all the components on one machine. Several pitfalls with that approach: - running additional servers on the sensor makes in inherently more vulnerable
...unless the additional services are conveniently configured and secured: - apache with less privileges[1], listening on localhost only[2] - mysql with less privileges - services only reachable from the internal, non-sniffing, network card - ...
- database, snort, apache, ..., all competing for same system resources
barnyard + os tuning may help in this regard. but I agree that this is the biggest issue imho with this kind of setup.
- no steath logging ability
why? an all-component machine doesn't necessarily imply a single NIC. you can always throw two cards at the task and use one for detection while hooking the other to a secure administration network. the detection/sniffing card would be setup so that it doesn't have an IP address.
Read some of the ACID documentation for more reasons.
in which file(s)? on the website, the only file I found that say something about this subject[3] is http://acidlab.sourceforge.net/acid_faq.html and even there, there is little information: <quote> * When possible, run the sensor (Snort), database, and web server on separate machines. </quote> cheers. -- [1] apache runs by default as an unprivileged user/group on many *nix platforms. openbsd goes to the extent of chroot()-ing it by default starting from openbsd 3.2 [2] to access apache from remote machines, one would use ssh port forwarding [3] if I missed it, I'm better off eating some carrots ;) -- Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr] [pgp keyid: 35592A6D http://pgp.mit.edu] [pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D] --- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS Topology Saul Bosquez (Jan 09)
- Re: IDS Topology Demetri Mouratis (Jan 09)
- Re: IDS Topology Saad Kadhi (Jan 09)
- Re: IDS Topology Demetri Mouratis (Jan 10)
- Re: IDS Topology Saad Kadhi (Jan 09)
- <Possible follow-ups>
- IDS Topology Saul Bosquez (Jan 09)
- Re: IDS Topology Erek Adams (Jan 09)
- Re: IDS Topology Bennett Todd (Jan 10)
- RE: IDS Topology James R. Hendrick (Jan 10)
- IDS Topology Saul Bosquez (Jan 10)
- Re: IDS Topology Demetri Mouratis (Jan 09)