Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Database output

From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Thu, 11 Dec 2003 15:07:09 +0100
But I strongly recommend to use a different network for reporting
alerts to a central database server. Don't use the "official" lines
you are sniffing. And with a seperate network encryption should not
be necessary. (BTW: What are you concerned of? All data could be
sniffed? But this is what snort already does, so if someone can
sniff your line he will already see the same as snort... It would
make sense if the sensors are connect via WAN to the central database
but then I would suggest to use a local database and access them via
ssh/ssl to check the content. This should be much less traffic and less
dangerous if there is a problem with the network.)


I even don't have a big network :-)
I'm writing my master thesis about central logging and analysis, and so I'm 
checking the possibilities that snort and other tools offer, including 
database connectivity, which is in my opinion the easiest way to analyse logs 
afterwards. Also, other tools can log to the same database, creating lots of 
possibilities for cross-analysis.
I'm also looking into the possibilities of using SSL on one network (the 
'official' one), but I've already seen, that my conclusion will be that this 
is not good. But even when using a network reserved for logging purposes 
only, SSL seems good to me, as it can encrypt the traffic (for instance, when 
I log which services are running on a computer, it's perhaps better not to 
shout it across the network :-) ), and SSL gives also authentication: is the 
one logging to the database really the one he says he is? Although a seperate 
logging network minimizes chances of eavesdropping or forging, I think that 
SSL gives just that little more security...
I only have to see what the performance penalty of using SSL is, and if it is 
affordable.

Erwin Van de Velde
Student of Antwerp University
Belgium



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: