[Snort-users] Snort - VPS web server (Debian)
johnny.venter at ...15370...
Mon Aug 29 11:41:26 EDT 2011
Could you elaborate on using the "lightest memory setting for the fast pattern matcher"?
---- On Sun, 28 Aug 2011 12:00:54 -0700 Martin Holste<mcholste at ...11827...> wrote ----
> On such a small server and with such a specific use, I'm not sure
> running Snort is the right tool for the job. I think mod_security
> with centralized logging would be a better fit, especially since it's
> serving mostly static content. That said, Snort should run ok, but
> make sure you use the lightest memory setting for the fast pattern
> matcher, and most importantly, that you only run signatures applicable
> to the services it runs. When you've done all that, what you'll end
> up with is a system that will create alerts when it notices generic
> web attacks and high-level HTTP violations, like the Apache range
> vulnerability of late. All of this will be less specific and more
> resource-intensive than mod_security, which is why I recommend that
> you just start with that to begin with.
> On Sun, Aug 28, 2011 at 12:26 PM, Johnny Venter <Johnny.Venter at ...15370...> wrote:
> > Hello,
> > I am looking for guidance/advice.
> > I have a VPS server that is running Debian with Lighttpd and sendmail. The memory is 256MB and the HD space is 10GB.
> > The website I have is very light and mainly static content.
> > Currently, I have iptables installed that permits port 80/443 inbound.
> > I would like to install Snort on this VPS in IPS mode without bringing my system to a crawl. I assume I can disable the preprocessors that I will not need. So I can just enable the web preprocessors?
> > Is this correct and can someone add input if they have completed the same project before?
> > Thanks, Johnny
> > ------------------------------------------------------------------------------
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users