IDS?

[Longman, Bill]

> I am not sure what good snort will do on the server being protected. 
> Usually, snort is put on a dedicated IDS server which captures 
> everything on the wire and rule-matches for intrusion detection and 
> notification. If a hacker gets your box, snort may know about it, but 
> may also be disabled by a knowing hacker. Additionally, you 
> would need 
> to put the NIC of the box in promiscuous mode, which may not sit well 
> with the network person.

You don't *need* to run snort in promiscuous mode. If you are willing to
scan for broadcast and unicast-to-your-machine packets, there's no need for
promiscuous. Use the -p option to take it out of promiscuous mode. Snort is
incredibly CPU intensive so you wouldn't want to run it on your box at any
rate. It can sit and sniff packets really well but getting that data out of
the data base is always the problem.
 
> Tripwire is a good thing, if you are sure the box is secure when 
> creating the database. If this box is going to be vulnerable (on the 
> internet), I would run it as often as possible.

And take the time to configure tripwire. Go through the file data base and
make sure it makes sense. Do the initial scan and then go through this again
a week or so later, once the system is stable. Then, you'll get very
meaningful information from the reports.

--
Bill