Re: Snort - VPS web server (Debian)

[Martin Holste <mcholste () gmail com>]

config detection: search-method ac-bnfa-q split-any-any
I'm not sure if lowmem actually has lower memory than ac-bnfa, anyone
care to confirm?

On Mon, Aug 29, 2011 at 10:41 AM, johnny.venter <johnny.venter () zoho com> wrote:
> Could you elaborate on using the "lightest memory setting for the fast pattern matcher"?
>
> ---- On Sun, 28 Aug 2011 12:00:54 -0700 Martin Holste<mcholste () gmail com> wrote ----
>
>  > On such a small server and with such a specific use, I'm not sure
>  > running Snort is the right tool for the job.  I think mod_security
>  > with centralized logging would be a better fit, especially since it's
>  > serving mostly static content.  That said, Snort should run ok, but
>  > make sure you use the lightest memory setting for the fast pattern
>  > matcher, and most importantly, that you only run signatures applicable
>  > to the services it runs.  When you've done all that, what you'll end
>  > up with is a system that will create alerts when it notices generic
>  > web attacks and high-level HTTP violations, like the Apache range
>  > vulnerability of late.  All of this will be less specific and more
>  > resource-intensive than mod_security, which is why I recommend that
>  > you just start with that to begin with.
>  >
>  > On Sun, Aug 28, 2011 at 12:26 PM, Johnny Venter <Johnny.Venter () zoho com> wrote:
>  > > Hello,
>  > >
>  > > I am looking for guidance/advice.
>  > >
>  > > I have a VPS server that is running Debian with Lighttpd and sendmail.  The memory is 256MB and the HD space is 
> 10GB.
>  > >
>  > > The website I have is very light and mainly static content.
>  > >
>  > > Currently, I have iptables installed that permits port 80/443 inbound.
>  > >
>  > > I would like to install Snort on this VPS in IPS mode without bringing my system to a crawl.  I assume I can 
> disable the preprocessors that I will not need.  So I can just enable the web preprocessors?
>  > >
>  > > Is this correct and can someone add input if they have completed the same project before?
>  > >
>  > >
>  > > Thanks, Johnny
>  > >
>  > > ------------------------------------------------------------------------------
>  > > EMC VNX: the world's simplest storage, starting under $10K
>  > > The only unified storage solution that offers unified management
>  > > Up to 160% more powerful than alternatives and 25% more efficient.
>  > > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>  > > _______________________________________________
>  > > Snort-users mailing list
>  > > Snort-users () lists sourceforge net
>  > > Go to this URL to change user options or unsubscribe:
>  > > https://lists.sourceforge.net/lists/listinfo/snort-users
>  > > Snort-users list archive:
>  > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  > >
>  > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>  > >
>  >

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!