Home page logo
/

snort logo Snort mailing list archives

Re: Securing Host Based Snort Installs
From: "johnny.venter" <johnny.venter () zoho com>
Date: Wed, 05 Jun 2013 11:25:59 -0700

Since the credentials are stored in files, you could use file/folder permissions in Windows to restrict 
read/write/modify access. 

Only caveat is that members of the local administrators group can take ownership and then modify file permissions.

Another options is to use EFS on Windows.  You can logon with your credentials and encrypt the Snort directories.  Even 
if an administrator then takes ownership of the directories/files or has Full Control, they will *not* be able to view 
the document because EFS is linked to your user account.

Not sure how you installed Snort so you might have to enable EFS with the Snort service account to allow the Snort 
service to encrypt and decrypt the file on the fly.

--
Johnny


---- On Fri, 31 May 2013 18:59:11 -0700 Craig Wright wrote ---- 

I will send details tomorrow
On 01/06/2013 11:58 AM, "Steven McLaughlin" wrote:
Hi All,


I have a snort station up and running with a couple of sensor tap ports and MySQL database. Using the schema that 
ships with Snorby.


I was wondering if anyone could shed some light on security best practice for authentication to the DB from remote 
Snort or Barnyard2 connections.


I can happily run a MySQL connection over stunnel for encryption or use SSL through the MySQL DB natively. However my 
concern relates to the credentials used for authentication.


Both Snort, and Barnyard2 database connection configuration store the password in the .conf files. Which is fine when 
I am running these sensors on a hardened server which is only accessed by security engineers. However with remote 
sensors this has the risk of database compromise.

For example. If I have a snort sensor happily running on a Windows 2008 server which authenticates to my mothership DB 
server (which I may not have control who logs in on the Win box.) Lets say a malicious user steals the DB 
authentication credentials from the .conf file whilst logged into the Windows server. They then have write access to 
the central snort database and could effectively delete large portions of it.


Is there any best practice or philosphy for deployment to avoid this risk with remote HIDS based snort sensors?


thanks,


Steve












------------------------------------------------------------------------------ 
How ServiceNow helps IT people transform IT departments: 
1. A cloud service to automate IT design, transition and operations 
2. Dashboards that offer high-level views of enterprise services 
3. A single system of record for all IT processes 
http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault