I recently installed Snort along with Apache and MySQL. I'm relative new to intrusion detection as you may know from the following. My concern: I see a large number of connection made by apache.exe as well as mysql.exe. Just how many? Nearly 30 for apache.exe and even more for mysql.exe. My question: does this sound about right or should there be more? (of course I'm being cynical) What are some security concerns involved in leaving so many ports open? Is there a drawback in running the pig and its cohorts? (This obviously sounds ironic considering that IDS is suppose to help protect your system). Thx in advance.
There really shouldn't be THAT many connections with apache of mysql unless you have visitors to your website, etc. If the website is live, this is to be expected. You will also get many people trying to port scan you, and this may show up as connections in some instances.