Snort mailing list archives

RE: Database output

From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Thu, 11 Dec 2003 11:13:24 -0600

Just as an FYI on the ssl question...

Erwin mentions in an earlier message that he is using Postgresql.
Postgresql can be compiled to use ssl w/o using stunnel.  You just
simply install OpenSSL before installing Postgresql, and then configure
Postgresql using the " --with-openssl[=DIR]" directive.  You then create
a certificate (look here:
http://www.postgresql.com/docs/7.3/static/ssl-tcp.html for
instructions), and add the "ssl=true" directive in your postgresql.conf
file.

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: Dirk Geschke [mailto:Dirk_Geschke () genua de] 
Sent: Thursday, December 11, 2003 10:21 AM
To: Erwin Van de Velde
Cc: Dirk Geschke; snort-users () lists sourceforge net; 
Dirk_Geschke () genua de
Subject: Re: [Snort-users] Database output 


Hi Erwin,

I even don't have a big network :-)
I'm writing my master thesis about central logging and

analysis, and so I'm

checking the possibilities that snort and other tools

offer, including

database connectivity, which is in my opinion the easiest

way to analyse logs

afterwards. Also, other tools can log to the same database,

creating lots of

possibilities for cross-analysis.
I'm also looking into the possibilities of using SSL on one

network (the

'official' one), but I've already seen, that my conclusion

will be that this

is not good. But even when using a network reserved for

logging purposes

only, SSL seems good to me, as it can encrypt the traffic

(for instance, when

I log which services are running on a computer, it's

perhaps better not to

shout it across the network :-) ), and SSL gives also

authentication: is the

one logging to the database really the one he says he is?

Although a seperate

logging network minimizes chances of eavesdropping or

forging, I think that

SSL gives just that little more security...
I only have to see what the performance penalty of using

SSL is, and if it is

affordable.


this all depends on what you want...

If you use a seperate network for IDS then encryption won't make
sense. If someone has access to sniff this network it is more 
likely that he can also sniff your LAN network you are monitoring
with snort. Therefore you only hide things an attacker should 
already know...

Some databases like MySQL are already able to use SSL so there is
no need to use an stunnel. (Actually it is not built in snort but
I think it would only require an extra option in the connect string
to the library call. So it is not really a problem to implement it.)

Two points are of course important with SSL:

1. The impact on the insert rate. This will be decrease due to the
   encryption. But this will depend on how many traffic is involved.

2. Authentication of the clients/sensors. On a separate network this
   should be no problem. But on a public line this could be a more
   important problem. Gladly in TCP it is not so easy to spoof the 
   source addresses but a valid certifcate would be a much better 
   check than the IP address and username/password.

Best regards

Dirk
--
+-------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke () genua de      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |
+-------------------------------------------------------------+




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign 
up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell 
to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Database output Erwin Van de Velde (Dec 10)
- Re: Database output Dirk Geschke (Dec 11)
  - Re: Database output Erwin Van de Velde (Dec 11)
    - Re: Database output Dirk Geschke (Dec 11)
    - Re: Database output Erwin Van de Velde (Dec 11)
- <Possible follow-ups>
- RE: Database output Hutchinson, Andrew (Dec 11)
  - Re: Database output Erwin Van de Velde (Dec 11)