Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Snort as a host-based IDS

From: "Pesek Wolfgang (Mail)" <WPesek () council net>
Date: Tue, 9 Oct 2001 21:54:48 +0200
I run a farm of 26 Webservers and snort it with a P133/64 MB running on
Windows 2000 Server. Sure needs some special installation of the OS to
reduce load of the cpu (disable all unneeded services and so on..) 
Also i log into a mysql DB and query this with ACID. Works fine on one
mirrored port on our Cisco 2924XL.  
So from my point of view just go ahead and use an older box to run snort !

Just one little thing to say : a use a script to flush the Database when the
alerts are growing above ca. 5000..  cause then you run into timeouts when
querying the DB.  Not sure if this is a problem with mySQL/ACID or the
really old hardware.

hope i could give you some points to think about..

Wolfgang


-----Originalnachricht-----
Von: Chris Kirby
An: 'snort-users () lists sourceforge net'
Gesendet: 09.10.01 20:55
Betreff: [Snort-users] Snort as a host-based IDS

We have a a server farm of about ten Windows NT4 webservers that I would
like to install Snort on. Can snort be installed on win32 machines as a
host-based IDS or can it only function as a network-based IDS on this
particular platform? Since we do not have a lot of bandwidth pushing
through
(under 2mb/s), would it be better to dedicate a box as a network based
IDS?
Also, can snort as a host-based IDS detect filesystem changes or would I
just install tripwire along with snort to get best of both worlds?

One issue however is that our webservers are sitting behind F5 Load
balancers and are in a switched environment. I am not sure if our
switches
(Cisco 2924XL) will support spanning ports or not, does anyone know? I
may
have to stick with host based IDS no matter what if it does not. 

Since our bandwidth is not high, could we get away with one Intel
Pentium
3-750mhz box running Snort to monitor both the segment in front of
firewall
as well as the DMZ? Is there any security risk in installing a network
based
IDS that can bypass the firewall or does the "read-only" ethernet cable
splice ensure one-way traffic only?

Any comments are welcome. :) Thanks in advance!

Chris.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: