[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Snort (Intrusion Detection)

Subject: [ale] Snort (Intrusion Detection)
From: transam at verysecurelinux.com (Bob Toxen)
Date: Thu Mar 24 13:14:04 2005
In-reply-to: <1111686554.10232.8.camel@angel>
References: <1111686554.10232.8.camel@angel>

On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> In practice, is Snort run *on* an Internet-facing Web server or does one
> run Snort on a dual-homed machine *in front of* a Web server?  Can
> anyone hold court on the subject?
It depends!  It depends on what level of security is desired and what
one's budget is?  Snort generally runs set-UID to root and there have
been remote root vulnerabilities -- as I recall.

For highest security, one's Firewall/IDS/IPS should be separate from what
it detects.  This is in case there is a remote vulnerability on the
Firewall/IDS/IPS software but not on the server software behind it.

> Jeff

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

Follow-Ups:
- [ale] Snort (Intrusion Detection)
  - From: jrickman at gmail.com (Jonathan Rickman)

References:
- [ale] Snort (Intrusion Detection)
  - From: hbbs at comcast.net (Jeff Hubbs)

Prev by Date: [ale] Snort (Intrusion Detection)
Next by Date: [ale] Snort (Intrusion Detection)
Previous by thread: [ale] Snort (Intrusion Detection)
Next by thread: [ale] Snort (Intrusion Detection)
Index(es):
- Date
- Thread