Snort and Linode
Yeah, I'm considering it, but I don't want to run into any limitations if I go ahead and do it.
Also, I'm wondering if its best to arrange my Linode so that Snort has its own dedicated interface, with no IP assigned (this is one of the better ways to use Snort).
EDIT:
I went ahead and got an additional IP for this project. When I bring up the interface, I'll just not assign it an IP. One thing I noticed is that using the new interface requires a reboot. I'm about to lose some serious uptime (351 days)…I think I might wait until i roll over the magic number (365) before I reboot.
2 Replies
cheers
Internat
This has nothing at all to do with DNS whatsoever. When standing up a Snort server, the best practice is to utilize a dedicated interface with no IP assigned. That is what I was trying to do, but found that Linode would only give me a dual-homed interface and not a second dedicated interface…so it is impossible to have an interface that doesn't have an IP already assigned to it.
To support my project, I had to bend the rules a bit (regarding the setup of Snort) by binding the Snort service to an interface that had an IP assigned to it. That's not the best way to run a Snort service but the ONLY way in this case.
On a side note, I do provide my Snort and firewall logs to dshield.org as way of contributing to the tracking of infected machines (or machine owners attacking my node) on the internet. I also run Modsecurity, which I use with Snort and IPtables logs to correlate data to discern what attacks occurred and whether or not they were successful. Good stuff that most hosting companies wouldn't allow me to do…