Snort mailing list archives
RE: Database output
From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Thu, 11 Dec 2003 11:13:24 -0600
Just as an FYI on the ssl question... Erwin mentions in an earlier message that he is using Postgresql. Postgresql can be compiled to use ssl w/o using stunnel. You just simply install OpenSSL before installing Postgresql, and then configure Postgresql using the " --with-openssl[=DIR]" directive. You then create a certificate (look here: http://www.postgresql.com/docs/7.3/static/ssl-tcp.html for instructions), and add the "ssl=true" directive in your postgresql.conf file. Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856
-----Original Message----- From: Dirk Geschke [mailto:Dirk_Geschke () genua de] Sent: Thursday, December 11, 2003 10:21 AM To: Erwin Van de Velde Cc: Dirk Geschke; snort-users () lists sourceforge net; Dirk_Geschke () genua de Subject: Re: [Snort-users] Database output Hi Erwin,I even don't have a big network :-) I'm writing my master thesis about central logging andanalysis, and so I'mchecking the possibilities that snort and other toolsoffer, includingdatabase connectivity, which is in my opinion the easiestway to analyse logsafterwards. Also, other tools can log to the same database,creating lots ofpossibilities for cross-analysis. I'm also looking into the possibilities of using SSL on onenetwork (the'official' one), but I've already seen, that my conclusionwill be that thisis not good. But even when using a network reserved forlogging purposesonly, SSL seems good to me, as it can encrypt the traffic(for instance, whenI log which services are running on a computer, it'sperhaps better not toshout it across the network :-) ), and SSL gives alsoauthentication: is theone logging to the database really the one he says he is?Although a seperatelogging network minimizes chances of eavesdropping orforging, I think thatSSL gives just that little more security... I only have to see what the performance penalty of usingSSL is, and if it isaffordable.this all depends on what you want... If you use a seperate network for IDS then encryption won't make sense. If someone has access to sniff this network it is more likely that he can also sniff your LAN network you are monitoring with snort. Therefore you only hide things an attacker should already know... Some databases like MySQL are already able to use SSL so there is no need to use an stunnel. (Actually it is not built in snort but I think it would only require an extra option in the connect string to the library call. So it is not really a problem to implement it.) Two points are of course important with SSL: 1. The impact on the insert rate. This will be decrease due to the encryption. But this will depend on how many traffic is involved. 2. Authentication of the clients/sensors. On a separate network this should be no problem. But on a public line this could be a more important problem. Gladly in TCP it is not so easy to spoof the source addresses but a valid certifcate would be a much better check than the IP address and username/password. Best regards Dirk -- +-------------------------------------------------------------+ | Dr. Dirk Geschke | E-mail: geschke () genua de | | Gesellschaft fuer Netzwerk | Tel. : +49-(0)-89-991950-131 | | und Unix Administration mbH | Fax : +49-(0)-89-991950-999 | | 85551 Kirchheim / Germany | Domagkstrasse 7 | +-------------------------------------------------------------+ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Database output Erwin Van de Velde (Dec 10)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- <Possible follow-ups>
- RE: Database output Hutchinson, Andrew (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)