Hi guys,

Do you think it will work if I setup Snort or Suricata in standalone web servers in order to be real-time notified when an attack is being performed? My web servers are not in the same network , they are in different zones on the cloud, also different providers.

One of our Attlassian servers on the cloud got hacked, this was a pain in the neck.

Normally you would want to deploy snort/suricata on a router/firewall before the web server. If the server becomes compromised somehow, the attacker won't have access to the firewall to erase the logs or prevent the IDS from signalling alerts. You could also deploy some additional local security for your webserver like AIDE. And if the host offers it, go for apparmor or even better, grsecurity. If you're using Apache web server, consider adding mod_security.

i use suricata on pfsense box, it works very nicely.

I've got a similar problem - multiple VMs that are being attacked all the time in different ways from multiple IPs - reaaaaaally annoying.
So far I've used a mix of fail2ban + elasticsearch + scripts + otherstuff but it's getting too complicated.

I want something that not only informs me that something weird is going on but especially that it reacts to weird stuff by closing the firewall.
From what I've read Snort & Co. are all able to detect stuff but don't really react to it.

What about OSSEC?
Quote: "blahblahblah...and active response"
Does anybody have any experience with it?
Difficult to maintain?
Any frontend (config and/or stats)?

suricata/snort at pfsense box block all attackers via pf, packetfilter = firewall of open/free bsd.