Snort mailing list archives
Re: Database output
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 11 Dec 2003 17:21:00 +0100
Hi Erwin,
I even don't have a big network :-) I'm writing my master thesis about central logging and analysis, and so I'm checking the possibilities that snort and other tools offer, including database connectivity, which is in my opinion the easiest way to analyse logs afterwards. Also, other tools can log to the same database, creating lots of possibilities for cross-analysis. I'm also looking into the possibilities of using SSL on one network (the 'official' one), but I've already seen, that my conclusion will be that this is not good. But even when using a network reserved for logging purposes only, SSL seems good to me, as it can encrypt the traffic (for instance, when I log which services are running on a computer, it's perhaps better not to shout it across the network :-) ), and SSL gives also authentication: is the one logging to the database really the one he says he is? Although a seperate logging network minimizes chances of eavesdropping or forging, I think that SSL gives just that little more security... I only have to see what the performance penalty of using SSL is, and if it is affordable.
this all depends on what you want... If you use a seperate network for IDS then encryption won't make sense. If someone has access to sniff this network it is more likely that he can also sniff your LAN network you are monitoring with snort. Therefore you only hide things an attacker should already know... Some databases like MySQL are already able to use SSL so there is no need to use an stunnel. (Actually it is not built in snort but I think it would only require an extra option in the connect string to the library call. So it is not really a problem to implement it.) Two points are of course important with SSL: 1. The impact on the insert rate. This will be decrease due to the encryption. But this will depend on how many traffic is involved. 2. Authentication of the clients/sensors. On a separate network this should be no problem. But on a public line this could be a more important problem. Gladly in TCP it is not so easy to spoof the source addresses but a valid certifcate would be a much better check than the IP address and username/password. Best regards Dirk -- +-------------------------------------------------------------+ | Dr. Dirk Geschke | E-mail: geschke () genua de | | Gesellschaft fuer Netzwerk | Tel. : +49-(0)-89-991950-131 | | und Unix Administration mbH | Fax : +49-(0)-89-991950-999 | | 85551 Kirchheim / Germany | Domagkstrasse 7 | +-------------------------------------------------------------+ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Database output Erwin Van de Velde (Dec 10)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)
- Re: Database output Dirk Geschke (Dec 11)
- <Possible follow-ups>
- RE: Database output Hutchinson, Andrew (Dec 11)
- Re: Database output Erwin Van de Velde (Dec 11)