[ale] Snort (Intrusion Detection)
Bob Toxen
transam at verysecurelinux.com
Thu Mar 24 13:14:04 EST 2005
On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> In practice, is Snort run *on* an Internet-facing Web server or does one
> run Snort on a dual-homed machine *in front of* a Web server? Can
> anyone hold court on the subject?
It depends! It depends on what level of security is desired and what
one's budget is? Snort generally runs set-UID to root and there have
been remote root vulnerabilities -- as I recall.
For highest security, one's Firewall/IDS/IPS should be separate from what
it detects. This is in case there is a remote vulnerability on the
Firewall/IDS/IPS software but not on the server software behind it.
> Jeff
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
More information about the Ale
mailing list