Snort mailing list archives
Re: Database output
From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Thu, 11 Dec 2003 18:27:11 +0100
Hi,
Some databases like MySQL are already able to use SSL so there is no need to use an stunnel. (Actually it is not built in snort but I think it would only require an extra option in the connect string to the library call. So it is not really a problem to implement it.)
I need stunnel when I want the client to use its own certificate, that is then verified by the server.
Two points are of course important with SSL: 1. The impact on the insert rate. This will be decrease due to the encryption. But this will depend on how many traffic is involved.
I noticed, but it is foremost the setup of the connection, afterwards the costs are acceptably low.
2. Authentication of the clients/sensors. On a separate network this should be no problem. But on a public line this could be a more important problem. Gladly in TCP it is not so easy to spoof the source addresses but a valid certifcate would be a much better check than the IP address and username/password.
Okay, spoofing TCP is indeed not easy, but I also want to use an authenticated way for the client to tell it's still there (+/- every minute, configurable). Without authentication, someone could take my client down and start acting as if he was the client, setting up his own TCP connection to the server, telling the client is still there (As I don't want to use apersistent TCP connection here, because in that case, the server needs to keep a lot of connections open in large networks). This is dangerous, as the client also notifies the server when services on the host change their status: Running <-> Stopped... So: not authenticating would permit the attacker to create false negatives on service statuses. This is of course all done outside of snort. Greetings, Erwin ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Database output Erwin Van de Velde (Dec 10)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- <Possible follow-ups>
- RE: Database output Hutchinson, Andrew (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)