[Snort-users] Database output

Erwin Van de Velde erwin.vandevelde at ...10361...
Thu Dec 11 06:08:01 EST 2003


> But I strongly recommend to use a different network for reporting
> alerts to a central database server. Don't use the "official" lines
> you are sniffing. And with a seperate network encryption should not
> be necessary. (BTW: What are you concerned of? All data could be
> sniffed? But this is what snort already does, so if someone can
> sniff your line he will already see the same as snort... It would
> make sense if the sensors are connect via WAN to the central database
> but then I would suggest to use a local database and access them via
> ssh/ssl to check the content. This should be much less traffic and less
> dangerous if there is a problem with the network.)

I even don't have a big network :-)
I'm writing my master thesis about central logging and analysis, and so I'm 
checking the possibilities that snort and other tools offer, including 
database connectivity, which is in my opinion the easiest way to analyse logs 
afterwards. Also, other tools can log to the same database, creating lots of 
possibilities for cross-analysis.
I'm also looking into the possibilities of using SSL on one network (the 
'official' one), but I've already seen, that my conclusion will be that this 
is not good. But even when using a network reserved for logging purposes 
only, SSL seems good to me, as it can encrypt the traffic (for instance, when 
I log which services are running on a computer, it's perhaps better not to 
shout it across the network :-) ), and SSL gives also authentication: is the 
one logging to the database really the one he says he is? Although a seperate 
logging network minimizes chances of eavesdropping or forging, I think that 
SSL gives just that little more security...
I only have to see what the performance penalty of using SSL is, and if it is 
affordable.

Erwin Van de Velde
Student of Antwerp University
Belgium





More information about the Snort-users mailing list