[Snort-users] Database output

Dirk Geschke Dirk_Geschke at ...1344...
Thu Dec 11 08:22:02 EST 2003

Hi Erwin,

> I even don't have a big network :-)
> I'm writing my master thesis about central logging and analysis, and so I'm 
> checking the possibilities that snort and other tools offer, including 
> database connectivity, which is in my opinion the easiest way to analyse logs 
> afterwards. Also, other tools can log to the same database, creating lots of 
> possibilities for cross-analysis.
> I'm also looking into the possibilities of using SSL on one network (the 
> 'official' one), but I've already seen, that my conclusion will be that this 
> is not good. But even when using a network reserved for logging purposes 
> only, SSL seems good to me, as it can encrypt the traffic (for instance, when 
> I log which services are running on a computer, it's perhaps better not to 
> shout it across the network :-) ), and SSL gives also authentication: is the 
> one logging to the database really the one he says he is? Although a seperate 
> logging network minimizes chances of eavesdropping or forging, I think that 
> SSL gives just that little more security...
> I only have to see what the performance penalty of using SSL is, and if it is 
> affordable.

this all depends on what you want...

If you use a seperate network for IDS then encryption won't make
sense. If someone has access to sniff this network it is more 
likely that he can also sniff your LAN network you are monitoring
with snort. Therefore you only hide things an attacker should 
already know...

Some databases like MySQL are already able to use SSL so there is
no need to use an stunnel. (Actually it is not built in snort but
I think it would only require an extra option in the connect string
to the library call. So it is not really a problem to implement it.)

Two points are of course important with SSL:

1. The impact on the insert rate. This will be decrease due to the
   encryption. But this will depend on how many traffic is involved.

2. Authentication of the clients/sensors. On a separate network this
   should be no problem. But on a public line this could be a more
   important problem. Gladly in TCP it is not so easy to spoof the 
   source addresses but a valid certifcate would be a much better 
   check than the IP address and username/password.

Best regards

| Dr. Dirk Geschke            | E-mail: geschke at ...1344...      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |

More information about the Snort-users mailing list