[Snort-users] performance concern

Matt Kettler mkettler at ...4108...
Tue Jun 17 12:48:09 EDT 2003


At 01:37 PM 6/17/2003 -0500, Francisco Morosini wrote:
>Hi!, i have an concern, i have a machine with IIS 5.0 and i ask if is
>possible run the IDS with the WEB SERVER in the same machine or i have
>troubles of performance?

Depends totally on the load, and what kind of hardware you are running on 
if this will have performance issues. Heck, without defining load and 
hardware, you can't even ascertain if you'll have performance issues 
without IIS, much less what will happen with IIS added to the picture.

However my biggest hesitation would be security, not performance. If you 
want snort to watch your webserver for attack, bear in mind that if your 
IIS is successfully hacked, a reasonably skilled attacker can very easily 
erase their tracks if snort is on the same system and logging its data there.

This alone is one VERY good reason to run snort on a machine that is as 
isolated from any possibility of exploit if you want to use it to track 
down "what happened" after an attack. My snort box isn't even allowed to 
send data to any machine outside the local network by the firewall 
(actually two firewalls both block this, one on the snort box itself, and 
one in the network border router.) It's also not allowed to do recursive 
DNS queries.









More information about the Snort-users mailing list