Snort mailing list archives
Re: Configuring Snort as a HIDS
From: Seth <sethsec () gmail com>
Date: Tue, 4 Dec 2007 13:47:25 -0500
Home_net -> server IP External_net -> !$HOME_NET What kind of services does the machine offer? You can probably eliminate most of the .rules files and only include the ones necessary for your specific server. Same goes for preproccessors. No need for the telnet_ftp preproccessor if you are installing snort directly on a web server that will never do any telnet or ftp. Just know that the types of alerts you will get from snort on a single server, are entirely different than a true HIDS. Something like OSSEC by Daniel Cid might be what you are really looking for. By industry standard, HIPS are more concerned with file integrity and system log parsing on the actual server (ie: apache, firewall, messages, etc). Snort, even when it is run on a single server, is more concerned with network based attacks. Remember also that if the server you install snort on sees alot of traffic, snort will be stealing alot of CPU and memory away from the service you are offering. Regards, Seth On Dec 4, 2007 1:21 PM, Kaplan, Andrew H. <AHKAPLAN () partners org> wrote:
Hi there – I have installed the prepackaged snort application, version 2.7, on a server running Fedora Core 7. My plan is to run the application as a HIDS. Is there a recommended configuration that I should set up to accomplish this? The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuring Snort as a HIDS Kaplan, Andrew H. (Dec 04)
- Re: Configuring Snort as a HIDS Seth (Dec 04)
- Re: Configuring Snort as a HIDS Jason Haar (Dec 04)
- Re: Configuring Snort as a HIDS Sebastien Tricaud (Dec 04)
- Re: Configuring Snort as a HIDS Seth (Dec 04)