Snort mailing list archives
Re: Snort - VPS web server (Debian)
From: Martin Holste <mcholste () gmail com>
Date: Tue, 30 Aug 2011 13:02:13 -0500
Yep, no mod_security for lighttpd, apparently. Since there is no database and almost no dynamic content, it sounds like all you're really needing to monitor is basic lighttpd security and email abuse. Decent log review is probably your best bet, so maybe something like OSSEC or SAGAN is what fits the best. On Tue, Aug 30, 2011 at 10:37 AM, johnny.venter <johnny.venter () zoho com> wrote:
The pages are static--not dynamic. There is no DB at all. It is running PHP and takes input using forms for visitor information. Sendmail runs internally according to transmit visitor submissions. Via the lighttpd config, I have limited connections based on the IP to ensure that unnecessary resources are not taken. Are you sure that mod_security works with lighttpd? From a cursory search, it does not appear to work. Thanks. ---- On Tue, 30 Aug 2011 08:08:42 -0700 Mike Lococo wrote ----On 08/28/2011 03:00 PM, Martin Holste wrote:On such a small server and with such a specific use, I'm not sure running Snort is the right tool for the job. I think mod_security with centralized logging would be a better fit, especially since it's serving mostly static content.I would reiterate that Snort is probably a poor match for this environment. You say "mostly" dynamic, but are you running a DB at all? You're going to need 32-64MB of memory for that. Do you run PHP? Another 30-120MB depending on the application and the number of processes you use serve active content. You may end up needing a second VPS just to run Snort, and needing to have it do packet forwarding to the web-server. Is anyone actually running Snort with a memory footprint of 128MB or less? Most of my experience is with fairly large high-throughput setups, so maybe I have a warped view of how little RAM Snort can take at the low end. As mentioned, mod-security will let you do signature-based blocking of http attacks (the kind that really matter for a web-server) in just a couple of megs of ram and there are some rulesets that I believe are decent out there like the owasp set. Cheers, Mike Lococo ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort - VPS web server (Debian) Johnny Venter (Aug 28)
- Re: Snort - VPS web server (Debian) Martin Holste (Aug 28)
- Re: Snort - VPS web server (Debian) johnny.venter (Aug 29)
- Re: Snort - VPS web server (Debian) Martin Holste (Aug 29)
- Re: Snort - VPS web server (Debian) Mike Lococo (Aug 30)
- Re: Snort - VPS web server (Debian) johnny.venter (Aug 30)
- Re: Snort - VPS web server (Debian) Martin Holste (Aug 30)
- Re: Snort - VPS web server (Debian) Edward Fjellskål (Aug 30)
- Re: Snort - VPS web server (Debian) johnny.venter (Aug 29)
- Re: Snort - VPS web server (Debian) Martin Holste (Aug 28)