[Snort-users] Snort - VPS web server (Debian)

Martin Holste mcholste at ...11827...
Tue Aug 30 14:02:13 EDT 2011


Yep, no mod_security for lighttpd, apparently.  Since there is no
database and almost no dynamic content, it sounds like all you're
really needing to monitor is basic lighttpd security and email abuse.
Decent log review is probably your best bet, so maybe something like
OSSEC or SAGAN is what fits the best.

On Tue, Aug 30, 2011 at 10:37 AM, johnny.venter <johnny.venter at ...15370...> wrote:
> The pages are static--not dynamic.
>
> There is no DB at all.
>
> It is running PHP and takes input using forms for visitor information.  Sendmail runs internally according to transmit visitor submissions.
>
> Via the lighttpd config, I have limited connections based on the IP to ensure that unnecessary resources are not taken.
>
> Are you sure that mod_security works with lighttpd?  From a cursory search, it does not appear to work.
>
> Thanks.
>
> ---- On Tue, 30 Aug 2011 08:08:42 -0700 Mike Lococo  wrote ----
>
>>On 08/28/2011 03:00 PM, Martin Holste wrote:
>>> On such a small server and with such a specific use, I'm not sure
>>> running Snort is the right tool for the job. I think mod_security
>>> with centralized logging would be a better fit, especially since it's
>>> serving mostly static content.
>>
>>I would reiterate that Snort is probably a poor match for this
>>environment. You say "mostly" dynamic, but are you running a DB at all?
>> You're going to need 32-64MB of memory for that. Do you run PHP?
>>Another 30-120MB depending on the application and the number of
>>processes you use serve active content. You may end up needing a second
>>VPS just to run Snort, and needing to have it do packet forwarding to
>>the web-server.
>>
>>Is anyone actually running Snort with a memory footprint of 128MB or
>>less? Most of my experience is with fairly large high-throughput
>>setups, so maybe I have a warped view of how little RAM Snort can take
>>at the low end.
>>
>>As mentioned, mod-security will let you do signature-based blocking of
>>http attacks (the kind that really matter for a web-server) in just a
>>couple of megs of ram and there are some rulesets that I believe are
>>decent out there like the owasp set.
>>
>>Cheers,
>>Mike Lococo
>>
>>------------------------------------------------------------------------------
>>Special Offer -- Download ArcSight Logger for FREE!
>>Finally, a world-class log management solution at an even better
>>price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>>download Logger. Secure your free ArcSight Logger TODAY!
>>http://p.sf.net/sfu/arcsisghtdev2dev
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list