I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major companies which say they support products for Ubuntu and other Linux distros, but they end up being anti-virus only and do not offer any protection against known vulnerabilities.
I found documentation about Snort and Suricata combined with rule managers like PulledPork and OinkMaster, but as I got deeper into it it seemed to me that these were meant to turn a server into a dedicated hardware IPS solution for a network.
- Can Suricata be used instead on an existing web server to simply provide intrusion prevention for that server?
- Is there a sample configuration available for this scenario?
- Would doing this slow performance down such that it would be inadvisable?
Best Answer
You can definitely use Suricata as ips on your web server, but generally it's not a good idea.
May be a host based ids is better for this kind of situation. Try to look at Ossec (https://ossec.github.io). Ossec is free and very light.