[Snort-users] IDS Topology

Saad Kadhi saad at ...4401...
Thu Jan 9 22:49:01 EST 2003

On Thu, Jan 09, 2003 at 10:29:53PM -0600, Demetri Mouratis wrote:
> Your best bet is to find a dedicated machine for the sensor.  If that's
> not possible, you can just install all the components on one machine.
> Several pitfalls with that approach:
> - running additional servers on the sensor makes in inherently more
> vulnerable
...unless  the  additional  services  are  conveniently  configured  and
  - apache with less privileges[1], listening on localhost only[2]
  - mysql with less privileges
  - services only reachable from  the  internal,  non-sniffing,  network
  - ...

> - database, snort, apache, ..., all competing for same system resources
barnyard + os tuning may help in this regard. but I agree that  this  is
the biggest issue imho with this kind of setup.

> - no steath logging ability
why? an all-component machine doesn't necessarily imply  a  single  NIC.
you can always throw two cards at the task and  use  one  for  detection
while  hooking  the  other  to  a  secure  administration  network.  the
detection/sniffing card would be setup so that it  doesn't  have  an  IP
> Read some of the ACID documentation for more reasons.
in which file(s)? 

on the website, the only file I found  that  say  something  about  this
subject[3]  is  http://acidlab.sourceforge.net/acid_faq.html  and   even
there, there is little information:

  * When possible, run the sensor (Snort), database, and web  server  on
    separate machines. 

[1] apache runs by default as an unprivileged user/group  on  many  *nix
    platforms. openbsd goes to the extent of chroot()-ing it by  default
    starting from openbsd 3.2
[2] to access apache from  remote  machines,  one  would  use  ssh  port
[3] if I missed it, I'm better off eating some carrots ;)
Saad Kadhi -- [saad at ...4401...] [saad.kadhi at ...7831...]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]

More information about the Snort-users mailing list