[Snort-users] running snort on webserver

Josh Oshiro josh at ...155...
Wed Apr 25 19:37:34 EDT 2001


Simon Frohn wrote:
> 
> Hi,
> 
> at the moment I am using ipchains to
> block everything except ftp, http and ssh
> on a webserver.
> Nevertheless I would like getting informend
> about break-in attempts, scans and dos-attacks
> especially those using the http-service.
> 
> Would you recommend putting snort on
> the same machine the webserver is running?
> I do not have the possibility to set up
> a special snort server ...
> Or is it safer to rely on ip-firewalling and not
> to scan http-traffic?
> 
> tia,
> Simon
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

I'm not sure how you have things setup there but it sounds like you have
one computer running the firewall and the web server. If thats the case
and you can't afford another box for snort then you'll have to pass
traffic through the firewall for snort to see it. Seeing the traffic
that your firewall is blocking is not as important as seeing the traffic
that it is not blocking. Since your already using ipchains have you
considered using guardian.
-- 
josh at ...155...
Snort Support
Silicon Defense




More information about the Snort-users mailing list