Home page logo
/

snort logo Snort mailing list archives

Re: Securing Host Based Snort Installs
From: Craig Wright <craig () rcjbr org>
Date: Sat, 1 Jun 2013 11:59:11 +1000

I will send details tomorrow
On 01/06/2013 11:58 AM, "Steven McLaughlin" <steve () lan com au> wrote:

Hi All,

I have a snort station up and running with a couple of sensor tap ports
and MySQL database. Using the schema that ships with Snorby.

I was wondering if anyone could shed some light on security best practice
for authentication to the DB from remote Snort or Barnyard2 connections.

I can happily run a MySQL connection over stunnel for encryption or use
SSL through the MySQL DB natively. However my concern relates to the
credentials used for authentication.

Both Snort, and Barnyard2 database connection configuration store the
password in the .conf files. Which is fine when I am running these sensors
on a hardened server which is only accessed by security engineers. However
with remote sensors this has the risk of database compromise.

For example. If I have a snort sensor happily running on a Windows 2008
server which authenticates to my mothership DB server (which I may not have
control who logs in on the Win box.) Lets say a malicious user steals the
DB authentication credentials from the .conf file whilst logged into the
Windows server. They then have write access to the central snort database
and could effectively delete large portions of it.

Is there any best practice or philosphy for deployment to avoid this risk
with remote HIDS based snort sensors?

thanks,

Steve

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault