Home page logo
/

snort logo Snort mailing list archives

Securing Host Based Snort Installs
From: Steven McLaughlin <steve () Lan com au>
Date: Sat, 1 Jun 2013 11:58:15 +1000

Hi All,

I have a snort station up and running with a couple of sensor tap ports and
MySQL database. Using the schema that ships with Snorby.

I was wondering if anyone could shed some light on security best practice
for authentication to the DB from remote Snort or Barnyard2 connections.

I can happily run a MySQL connection over stunnel for encryption or use SSL
through the MySQL DB natively. However my concern relates to the
credentials used for authentication.

Both Snort, and Barnyard2 database connection configuration store the
password in the .conf files. Which is fine when I am running these sensors
on a hardened server which is only accessed by security engineers. However
with remote sensors this has the risk of database compromise.

For example. If I have a snort sensor happily running on a Windows 2008
server which authenticates to my mothership DB server (which I may not have
control who logs in on the Win box.) Lets say a malicious user steals the
DB authentication credentials from the .conf file whilst logged into the
Windows server. They then have write access to the central snort database
and could effectively delete large portions of it.

Is there any best practice or philosphy for deployment to avoid this risk
with remote HIDS based snort sensors?

thanks,

Steve
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault