[Snort-users] Centralized DB Server??

Marc Thompson Marc.Thompson at ...2101...
Tue Jun 12 20:58:23 EDT 2001


Andreas,

>But I would feel uhm... uncomforatable with an open MySQL-Port to a
>machine sitting inside our network and collecting lots of 'foreign',
>unchecked and unencrypted sensor data.

What about an IDS box that has two network interfaces:  One non-IP 
Ethernet adapter on the DMZ and one IP-assigned Ethernet Adapter
on the local net.  

I forgot to mention that I am assuming that I am *not* transferring 
alerts across the Internet.  The sites have redundant VPN connectivity,
to the sites are also connected via leased-lines on a private net.

Does this mitigate the risk or am I misunderstanding your point?

Thanks,
Marc

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757


-----Original Message-----
From: Andreas Lindenblatt [mailto:azrael at ...70...]
Sent: Tuesday, June 12, 2001 6:20 PM
To: Marc Thompson; 'Kris Quinby'
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Centralized DB Server??


Hi Marc,

> geographical locations.  I've been brainstorming this a bit, and it seems
> that I should be able to easily ignore alerts that are being generated by
> traffic to the MySQL TCP port.  Does this sound like the answer?
It surely is an answer to your initial question :).

But I would feel uhm... uncomforatable with an open MySQL-Port to a
machine sitting inside our network and collecting lots of 'foreign',
unchecked and unencrypted sensor data.

Even if it means we don't get 'real-time' data, we fell back to packing
and scrambling logs at the snort-boxes and fetching them with scp. 

Hmmm... what happened to SnortNet? It looked good with snort 1.6 :)

-- 
----
BYE Andreas




More information about the Snort-users mailing list