Re: performance concern

[Matt Kettler <mkettler () evi-inc com>]

At 01:37 PM 6/17/2003 -0500, Francisco Morosini wrote:
> Hi!, i have an concern, i have a machine with IIS 5.0 and i ask if is
> possible run the IDS with the WEB SERVER in the same machine or i have
> troubles of performance?

Depends totally on the load, and what kind of hardware you are running on 
if this will have performance issues. Heck, without defining load and 
hardware, you can't even ascertain if you'll have performance issues 
without IIS, much less what will happen with IIS added to the picture.

However my biggest hesitation would be security, not performance. If you 
want snort to watch your webserver for attack, bear in mind that if your 
IIS is successfully hacked, a reasonably skilled attacker can very easily 
erase their tracks if snort is on the same system and logging its data there.

This alone is one VERY good reason to run snort on a machine that is as 
isolated from any possibility of exploit if you want to use it to track 
down "what happened" after an attack. My snort box isn't even allowed to 
send data to any machine outside the local network by the firewall 
(actually two firewalls both block this, one on the snort box itself, and 
one in the network border router.) It's also not allowed to do recursive 
DNS queries.







-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users