-
Newbie snort question
I am trying to learn more about site security. I have a site that is on a dedicated server but it is a hosted server. Though our provider seems to take reasonable security measures I want to take a more active role in our security efforts.
I would like to run Snort but as far as I can tell I would have to have a box on the physical network in front of my site server if I didn't want to run Snort on the site server itself. Is this correct? And if we ran Snort on the site server wouldn't that take significant resources from the server if Snort was used for intrusion detection?
Thanks for any information or suggestions about the best way to take a more active role in our site security.
-
Yes you would have to go with one of those two options. You could put a hub (notice not a switch or router) on the same segment as the server and use a second box to run snort. Or upu could run it on the server. The amount of resources it would take up depends on your set up. Snort can be configured to not take up too much, but then it isn't doing much. It all falls under the second law of thermodynamics, every time you gain something you lose something.
You should look into the Snort configuration logging to MySQL accross the network to a differnt box, and using ACID as your front in. I set his up once just to play with and it was sweet. If i can find the link I'll edit this later.
-
I wouldn't recommend running snort on the server machine you are hosting from , a dedicated machine running snort would be ideal so i'd advise setting up a seperate machine if your wondering about OS i'd say go with OpenBSD iv'e setup many NIDS boxes using OpenBSD n snort it's realitvely painless.
here's a tutorial I used when first setting up snort & ACID on openbsd: Tutorial it's written for OpenBSD 3.2 in mind but can obviousely be applied to the 3.4 and 3.5