[Snort-users] Snort - VPS web server (Debian)

Martin Holste mcholste at ...11827...
Sun Aug 28 15:00:54 EDT 2011


On such a small server and with such a specific use, I'm not sure
running Snort is the right tool for the job.  I think mod_security
with centralized logging would be a better fit, especially since it's
serving mostly static content.  That said, Snort should run ok, but
make sure you use the lightest memory setting for the fast pattern
matcher, and most importantly, that you only run signatures applicable
to the services it runs.  When you've done all that, what you'll end
up with is a system that will create alerts when it notices generic
web attacks and high-level HTTP violations, like the Apache range
vulnerability of late.  All of this will be less specific and more
resource-intensive than mod_security, which is why I recommend that
you just start with that to begin with.

On Sun, Aug 28, 2011 at 12:26 PM, Johnny Venter <Johnny.Venter at ...15370...> wrote:
> Hello,
>
> I am looking for guidance/advice.
>
> I have a VPS server that is running Debian with Lighttpd and sendmail.  The memory is 256MB and the HD space is 10GB.
>
> The website I have is very light and mainly static content.
>
> Currently, I have iptables installed that permits port 80/443 inbound.
>
> I would like to install Snort on this VPS in IPS mode without bringing my system to a crawl.  I assume I can disable the preprocessors that I will not need.  So I can just enable the web preprocessors?
>
> Is this correct and can someone add input if they have completed the same project before?
>
>
> Thanks, Johnny
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list