[Snort-users] Logging to a central database

Steve Halligan agent33 at ...187...
Fri Apr 27 12:27:28 EDT 2001


> Encryption is not the only issue. If my snort boxen are compromised, a
> presistent SSH tunnel be used to infiltrate further. I want 
> to develop a
> method by which catpure files are create and then retreived 
> on aregular
> basis for processing. I don't want to give the snort boxes a way to
> establish connections back to my central subnet.
You can do the following things.  Batching capture files completely removes
the ability to see anything in anywhere close to "real time":

1)  The SSH tunnel (I personally would use an IPSEC vpn connection) is
started from the central box, the remote box cannot bring up the tunnel, or
new tunnels.
2)  IPChains (or something similar) on the central box limits the SSH tunnel
to the database server's port.  
3)  The database user that snort uses has insert but not delete privs.

So if the remote snort box is compromised, the worst thing that will happen
is that the intruder can stop snort and/or insert bogus data into the
database.  The intruder cannot delete info out of the database, or access
anything else except the database on the central server.

-Steve  




More information about the Snort-users mailing list