RE: IIS and Snort
From: McCammon, Keith (Keith.McCammon@eadvancemed.com)Date: 09/20/01
- Previous message: Kelley, John: "RE: IIS and Snort"
- Maybe in reply to: Brian Carvalho: "IIS and Snort"
- Next in thread: Ian Macdonald: "Re: IIS and Snort"
- Reply: Ian Macdonald: "Re: IIS and Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <BB7FD4FF9E440648A731452E5D341FB06545B5@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: 'Brian Carvalho' <brian.carvalho@verizon.net>, focus-ids@securityfocus.com Subject: RE: IIS and Snort Date: Wed, 19 Sep 2001 18:49:36 -0400
***Would Snort be a good choice for my application?
Yes!
***Are there specific Snort rulesets for IIS?
Yes. When you download the Snort distribution, it comes with a complete
ruleset for monitoring web, DNS, SQL, mail, etc. You can choose which rules
you wish to deploy.
***Is there any way to send alerts with Snort?
Snort generates an alert.ids file where alerts are written. However, you
can configure output plug-ins for SQL, syslog, etc. You can pretty much get
your alerts any way you want 'em with relatively little effort.
***Should I monitor on the actual server or from an admin
machine?
An admin machine. Set up a machine with two NIC's. One goes in promiscuous
mode on a switch monitoring port, and the other is for management. You
don't need a fast box, so don't worry about hardware cost. You can handle
T-3 speed with decent workstation (maybe less, maybe more, depending on
variables).
- Previous message: Kelley, John: "RE: IIS and Snort"
- Maybe in reply to: Brian Carvalho: "IIS and Snort"
- Next in thread: Ian Macdonald: "Re: IIS and Snort"
- Reply: Ian Macdonald: "Re: IIS and Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
