[Snort-users] performance concern
mkettler at ...4108...
Tue Jun 17 12:48:09 EDT 2003
At 01:37 PM 6/17/2003 -0500, Francisco Morosini wrote:
>Hi!, i have an concern, i have a machine with IIS 5.0 and i ask if is
>possible run the IDS with the WEB SERVER in the same machine or i have
>troubles of performance?
Depends totally on the load, and what kind of hardware you are running on
if this will have performance issues. Heck, without defining load and
hardware, you can't even ascertain if you'll have performance issues
without IIS, much less what will happen with IIS added to the picture.
However my biggest hesitation would be security, not performance. If you
want snort to watch your webserver for attack, bear in mind that if your
IIS is successfully hacked, a reasonably skilled attacker can very easily
erase their tracks if snort is on the same system and logging its data there.
This alone is one VERY good reason to run snort on a machine that is as
isolated from any possibility of exploit if you want to use it to track
down "what happened" after an attack. My snort box isn't even allowed to
send data to any machine outside the local network by the firewall
(actually two firewalls both block this, one on the snort box itself, and
one in the network border router.) It's also not allowed to do recursive
More information about the Snort-users