Snort mailing list archives
Securing Host Based Snort Installs
From: Steven McLaughlin <steve () Lan com au>
Date: Sat, 1 Jun 2013 11:58:15 +1000
Hi All, I have a snort station up and running with a couple of sensor tap ports and MySQL database. Using the schema that ships with Snorby. I was wondering if anyone could shed some light on security best practice for authentication to the DB from remote Snort or Barnyard2 connections. I can happily run a MySQL connection over stunnel for encryption or use SSL through the MySQL DB natively. However my concern relates to the credentials used for authentication. Both Snort, and Barnyard2 database connection configuration store the password in the .conf files. Which is fine when I am running these sensors on a hardened server which is only accessed by security engineers. However with remote sensors this has the risk of database compromise. For example. If I have a snort sensor happily running on a Windows 2008 server which authenticates to my mothership DB server (which I may not have control who logs in on the Win box.) Lets say a malicious user steals the DB authentication credentials from the .conf file whilst logged into the Windows server. They then have write access to the central snort database and could effectively delete large portions of it. Is there any best practice or philosphy for deployment to avoid this risk with remote HIDS based snort sensors? thanks, Steve
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Securing Host Based Snort Installs Steven McLaughlin (May 31)
- Re: Securing Host Based Snort Installs Craig Wright (Jun 05)
- Re: Securing Host Based Snort Installs johnny.venter (Jun 05)
- Re: Securing Host Based Snort Installs Craig Wright (Jun 05)