Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Database output

From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 11 Dec 2003 17:21:00 +0100
Hi Erwin,


I even don't have a big network :-)
I'm writing my master thesis about central logging and analysis, and so I'm 
checking the possibilities that snort and other tools offer, including 
database connectivity, which is in my opinion the easiest way to analyse logs 
afterwards. Also, other tools can log to the same database, creating lots of 
possibilities for cross-analysis.
I'm also looking into the possibilities of using SSL on one network (the 
'official' one), but I've already seen, that my conclusion will be that this 
is not good. But even when using a network reserved for logging purposes 
only, SSL seems good to me, as it can encrypt the traffic (for instance, when 
I log which services are running on a computer, it's perhaps better not to 
shout it across the network :-) ), and SSL gives also authentication: is the 
one logging to the database really the one he says he is? Although a seperate 
logging network minimizes chances of eavesdropping or forging, I think that 
SSL gives just that little more security...
I only have to see what the performance penalty of using SSL is, and if it is 
affordable.


this all depends on what you want...

If you use a seperate network for IDS then encryption won't make
sense. If someone has access to sniff this network it is more 
likely that he can also sniff your LAN network you are monitoring
with snort. Therefore you only hide things an attacker should 
already know...

Some databases like MySQL are already able to use SSL so there is
no need to use an stunnel. (Actually it is not built in snort but
I think it would only require an extra option in the connect string
to the library call. So it is not really a problem to implement it.)

Two points are of course important with SSL:

1. The impact on the insert rate. This will be decrease due to the
   encryption. But this will depend on how many traffic is involved.

2. Authentication of the clients/sensors. On a separate network this
   should be no problem. But on a public line this could be a more
   important problem. Gladly in TCP it is not so easy to spoof the 
   source addresses but a valid certifcate would be a much better 
   check than the IP address and username/password.

Best regards

Dirk
--
+-------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke () genua de      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |
+-------------------------------------------------------------+




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: