[Snort-users] Snort as a host-based IDS

Chris Kirby ckirby at ...3736...
Tue Oct 9 11:58:06 EDT 2001


We have a a server farm of about ten Windows NT4 webservers that I would
like to install Snort on. Can snort be installed on win32 machines as a
host-based IDS or can it only function as a network-based IDS on this
particular platform? Since we do not have a lot of bandwidth pushing through
(under 2mb/s), would it be better to dedicate a box as a network based IDS?
Also, can snort as a host-based IDS detect filesystem changes or would I
just install tripwire along with snort to get best of both worlds?

One issue however is that our webservers are sitting behind F5 Load
balancers and are in a switched environment. I am not sure if our switches
(Cisco 2924XL) will support spanning ports or not, does anyone know? I may
have to stick with host based IDS no matter what if it does not. 

Since our bandwidth is not high, could we get away with one Intel Pentium
3-750mhz box running Snort to monitor both the segment in front of firewall
as well as the DMZ? Is there any security risk in installing a network based
IDS that can bypass the firewall or does the "read-only" ethernet cable
splice ensure one-way traffic only?

Any comments are welcome. :) Thanks in advance!

Chris.






More information about the Snort-users mailing list