[Snort-users] Snort as a host-based IDS

Kevin Brown Kevin.M.Brown at ...1022...
Thu Oct 11 09:57:10 EDT 2001

On a machine that slow you would get better performance running Linux or BSD
instead of Win2k for snort/php/acid/apache and have fewer inherent
vulnerabilities (e.g. IIS crap).

-----Original Message-----
From: Pesek Wolfgang (Mail) [mailto:WPesek at ...3042...]
Sent: Tuesday, October 09, 2001 12:55
To: 'Chris Kirby '; ''snort-users at lists.sourceforge.net' '
Subject: AW: [Snort-users] Snort as a host-based IDS

I run a farm of 26 Webservers and snort it with a P133/64 MB running on
Windows 2000 Server. Sure needs some special installation of the OS to
reduce load of the cpu (disable all unneeded services and so on..) 
Also i log into a mysql DB and query this with ACID. Works fine on one
mirrored port on our Cisco 2924XL.  
So from my point of view just go ahead and use an older box to run snort ! 
Just one little thing to say : a use a script to flush the Database when the
alerts are growing above ca. 5000..  cause then you run into timeouts when
querying the DB.  Not sure if this is a problem with mySQL/ACID or the
really old hardware.
hope i could give you some points to think about.. 

Von: Chris Kirby 
An: 'snort-users at lists.sourceforge.net' 
Gesendet: 09.10.01 20:55 
Betreff: [Snort-users] Snort as a host-based IDS 
We have a a server farm of about ten Windows NT4 webservers that I would 
like to install Snort on. Can snort be installed on win32 machines as a 
host-based IDS or can it only function as a network-based IDS on this 
particular platform? Since we do not have a lot of bandwidth pushing 
(under 2mb/s), would it be better to dedicate a box as a network based 
Also, can snort as a host-based IDS detect filesystem changes or would I 
just install tripwire along with snort to get best of both worlds? 
One issue however is that our webservers are sitting behind F5 Load 
balancers and are in a switched environment. I am not sure if our 
(Cisco 2924XL) will support spanning ports or not, does anyone know? I 
have to stick with host based IDS no matter what if it does not. 
Since our bandwidth is not high, could we get away with one Intel 
3-750mhz box running Snort to monitor both the segment in front of 
as well as the DMZ? Is there any security risk in installing a network 
IDS that can bypass the firewall or does the "read-only" ethernet cable 
splice ensure one-way traffic only? 
Any comments are welcome. :) Thanks in advance! 

Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
Snort-users list archive: 

More information about the Snort-users mailing list