[Snort-users] IDS Topology
saad at ...4401...
Thu Jan 9 22:49:01 EST 2003
On Thu, Jan 09, 2003 at 10:29:53PM -0600, Demetri Mouratis wrote:
> Your best bet is to find a dedicated machine for the sensor. If that's
> not possible, you can just install all the components on one machine.
> Several pitfalls with that approach:
> - running additional servers on the sensor makes in inherently more
...unless the additional services are conveniently configured and
- apache with less privileges, listening on localhost only
- mysql with less privileges
- services only reachable from the internal, non-sniffing, network
> - database, snort, apache, ..., all competing for same system resources
barnyard + os tuning may help in this regard. but I agree that this is
the biggest issue imho with this kind of setup.
> - no steath logging ability
why? an all-component machine doesn't necessarily imply a single NIC.
you can always throw two cards at the task and use one for detection
while hooking the other to a secure administration network. the
detection/sniffing card would be setup so that it doesn't have an IP
> Read some of the ACID documentation for more reasons.
in which file(s)?
on the website, the only file I found that say something about this
subject is http://acidlab.sourceforge.net/acid_faq.html and even
there, there is little information:
* When possible, run the sensor (Snort), database, and web server on
 apache runs by default as an unprivileged user/group on many *nix
platforms. openbsd goes to the extent of chroot()-ing it by default
starting from openbsd 3.2
 to access apache from remote machines, one would use ssh port
 if I missed it, I'm better off eating some carrots ;)
Saad Kadhi -- [saad at ...4401...] [saad.kadhi at ...7831...]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D]
More information about the Snort-users