Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Database output

From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Thu, 11 Dec 2003 18:27:11 +0100
Hi,


Some databases like MySQL are already able to use SSL so there is
no need to use an stunnel. (Actually it is not built in snort but
I think it would only require an extra option in the connect string
to the library call. So it is not really a problem to implement it.)


I need stunnel when I want the client to use its own certificate, that is then 
verified by the server.


Two points are of course important with SSL:

1. The impact on the insert rate. This will be decrease due to the
   encryption. But this will depend on how many traffic is involved.


I noticed, but it is foremost the setup of the connection, afterwards the 
costs are acceptably low.


2. Authentication of the clients/sensors. On a separate network this
   should be no problem. But on a public line this could be a more
   important problem. Gladly in TCP it is not so easy to spoof the
   source addresses but a valid certifcate would be a much better
   check than the IP address and username/password.



Okay, spoofing TCP is indeed not easy, but I also want to use an authenticated 
way for the client to tell it's still there (+/- every minute, configurable). 
Without authentication, someone could take my client down and start acting as 
if he was the client, setting up his own TCP connection to the server, 
telling the client is still there (As I don't want to use apersistent TCP 
connection here, because in that case, the server needs to keep a lot of 
connections open in large networks). This is dangerous, as the client also 
notifies the server when services on the host change their status: Running 
<-> Stopped... So: not authenticating would permit the attacker to create 
false negatives on service statuses.
This is of course all done outside of snort.

Greetings,
Erwin



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: