Re: Snort - VPS web server (Debian)

[Martin Holste <mcholste () gmail com>]

On such a small server and with such a specific use, I'm not sure
running Snort is the right tool for the job.  I think mod_security
with centralized logging would be a better fit, especially since it's
serving mostly static content.  That said, Snort should run ok, but
make sure you use the lightest memory setting for the fast pattern
matcher, and most importantly, that you only run signatures applicable
to the services it runs.  When you've done all that, what you'll end
up with is a system that will create alerts when it notices generic
web attacks and high-level HTTP violations, like the Apache range
vulnerability of late.  All of this will be less specific and more
resource-intensive than mod_security, which is why I recommend that
you just start with that to begin with.

On Sun, Aug 28, 2011 at 12:26 PM, Johnny Venter <Johnny.Venter () zoho com> wrote:
> Hello,
>
> I am looking for guidance/advice.
>
> I have a VPS server that is running Debian with Lighttpd and sendmail.  The memory is 256MB and the HD space is 10GB.
>
> The website I have is very light and mainly static content.
>
> Currently, I have iptables installed that permits port 80/443 inbound.
>
> I would like to install Snort on this VPS in IPS mode without bringing my system to a crawl.  I assume I can disable 
> the preprocessors that I will not need.  So I can just enable the web preprocessors?
>
> Is this correct and can someone add input if they have completed the same project before?
>
>
> Thanks, Johnny
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!