[Snort-users] Snort - VPS web server (Debian)

Mike Lococo mikelococo at ...11827...
Tue Aug 30 11:08:42 EDT 2011

On 08/28/2011 03:00 PM, Martin Holste wrote:
> On such a small server and with such a specific use, I'm not sure
> running Snort is the right tool for the job.  I think mod_security
> with centralized logging would be a better fit, especially since it's
> serving mostly static content.

I would reiterate that Snort is probably a poor match for this 
environment.  You say "mostly" dynamic, but are you running a DB at all? 
  You're going to need 32-64MB of memory for that.  Do you run PHP? 
Another 30-120MB depending on the application and the number of 
processes you use serve active content.  You may end up needing a second 
VPS just to run Snort, and needing to have it do packet forwarding to 
the web-server.

Is anyone actually running Snort with a memory footprint of 128MB or 
less?  Most of my experience is with fairly large high-throughput 
setups, so maybe I have a warped view of how little RAM Snort can take 
at the low end.

As mentioned, mod-security will let you do signature-based blocking of 
http attacks (the kind that really matter for a web-server) in just a 
couple of megs of ram and there are some rulesets that I believe are 
decent out there like the owasp set.

Mike Lococo

More information about the Snort-users mailing list