Linode Forum :: Snort and Linode

Linode Forum https://forum.linode.com/

Snort and Linode https://forum.linode.com/viewtopic.php?f=19&t=2152	Page 1 of 1

Author:	unixfool [ Sun Mar 12, 2006 12:38 pm ]
Post subject:	Snort and Linode
I'm wondering if anyone has run Snort on their Linode and if so, were there any Linode resource issues when running Snort. Yeah, I'm considering it, but I don't want to run into any limitations if I go ahead and do it. Also, I'm wondering if its best to arrange my Linode so that Snort has its own dedicated interface, with no IP assigned (this is one of the better ways to use Snort). EDIT: I went ahead and got an additional IP for this project. When I bring up the interface, I'll just not assign it an IP. One thing I noticed is that using the new interface requires a reboot. I'm about to lose some serious uptime (351 days)...I think I might wait until i roll over the magic number (365) before I reboot.

Author:	Internat [ Sun Mar 12, 2006 5:47 pm ]
Post subject:
dhcp desnt give u your second ip address from memory, you have to manually assign it and all of the respective details cheers Internat

Author:	unixfool [ Sat Dec 01, 2007 4:31 pm ]
Post subject:
Sorry for waking up such an old thread...I just saw Internat's comment and thought I should respond/clarify for Internat and to anyone who may be considering running Snort on their Linode. This has nothing at all to do with DNS whatsoever. When standing up a Snort server, the best practice is to utilize a dedicated interface with no IP assigned. That is what I was trying to do, but found that Linode would only give me a dual-homed interface and not a second dedicated interface...so it is impossible to have an interface that doesn't have an IP already assigned to it. To support my project, I had to bend the rules a bit (regarding the setup of Snort) by binding the Snort service to an interface that had an IP assigned to it. That's not the best way to run a Snort service but the ONLY way in this case. On a side note, I do provide my Snort and firewall logs to dshield.org as way of contributing to the tracking of infected machines (or machine owners attacking my node) on the internet. I also run Modsecurity, which I use with Snort and IPtables logs to correlate data to discern what attacks occurred and whether or not they were successful. Good stuff that most hosting companies wouldn't allow me to do...

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/