Re: DB Rules

[Erek Adams <erek () theadamsfamily net>]

On Sun, 19 Aug 2001, Jason Robertson wrote:

> actually you wouldn't have to worry so much about -HUPing the database, if
> it's running a sql database, or the likes just insert the data directly
> into the database, when you are ready you rehup everything, it would then
> open a connection to the database do select * from rules, and then close
> the database.  As for others, that's what clustered databases, can be used
> for.

I'm all for centralized data!  :)  In my work, I deal _very_ closely with
LDAP.  I think that if Snort had an LDAP plugin, it would rock, but that's my
opinion. :)  LDAP kicks ass, but is _NOT_ the fix for everything.  You just
have to keep that in mind.

> It's the methodolgy I am using for my pam module actually for postgresql,
> which is a multiple database engine design, so I have a backup which both
> db's update each other, though I am planning to add a front end to that as
> well.. to provide a caching option, to store a number of transactions.. Though
> I wish the db servers had an option to cache in a connection, especially
> inserts, which can be where the biggest delays can occur.

Very, very nice.  I _think_ (take that for what you will :), that the DB
output plugin is being reworked a bit.  Between that rework and BarnYard, I
thik we're going to see a whole new breed of snort.  Marty and crew are like
code demons--It's amazing.  Hell, it takes me 3-5 days to write a GW-BASIC
"Hello World" program, and they're turning out amazing things in just a few
HOURS!

[Blatant Plug:  Everyone needs to go out and buy an OpenSnort Sensor and
Management Console.  Make the Pointy-Hair types do it!  It'll make your job
simpler! http://www.sourcefire.com/ :-]

> But the biggest benefit, is that you can simplify, and reduce the number
> of areas to maintain, it is the reason for my sql pam and nss modules I
> have been working on and going nuts on it.. I am thinking of a different
> system, I would love to use kerberos, but after looking at it.. I don't
> have a need for that level of system, and then again using DES, there is
> now programs that can crack DES in real time, so since it's pretty much
> internal anyways, I am working on a networked auth system.. for that
> purpose..  jason

Very cool.  But one thing that I'm not quite understanding--Why wouldn't a
'Master Control Program' (Sorry, too much Tron...) using flat files, and ssh
keys work just as well?  The infrastucture already exists in most setups,
you've got simple control over your files, configs, rules, etc.  It's secure,
prebuilt, preinstalled and works.  No extra things to break.  If you can't ssh
to a sensor, something is wrong...  No, OpenSSH isn't the end-all-be-all, but
it's simple, handy, and almost no overhead (if you have a good PRNG).

I guess it's back to the "Tomato vs. Tamato" discussion... :-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users