[Snort-users] Database output

Hutchinson, Andrew andrew.hutchinson at ...759...
Thu Dec 11 09:14:02 EST 2003


Just as an FYI on the ssl question...

Erwin mentions in an earlier message that he is using Postgresql.
Postgresql can be compiled to use ssl w/o using stunnel.  You just
simply install OpenSSL before installing Postgresql, and then configure
Postgresql using the " --with-openssl[=DIR]" directive.  You then create
a certificate (look here:
http://www.postgresql.com/docs/7.3/static/ssl-tcp.html for
instructions), and add the "ssl=true" directive in your postgresql.conf
file.

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Dirk Geschke [mailto:Dirk_Geschke at ...1344...] 
> Sent: Thursday, December 11, 2003 10:21 AM
> To: Erwin Van de Velde
> Cc: Dirk Geschke; snort-users at lists.sourceforge.net; 
> Dirk_Geschke at ...1344...
> Subject: Re: [Snort-users] Database output 
> 
> 
> Hi Erwin,
> 
> > I even don't have a big network :-)
> > I'm writing my master thesis about central logging and 
> analysis, and so I'm 
> > checking the possibilities that snort and other tools 
> offer, including 
> > database connectivity, which is in my opinion the easiest 
> way to analyse logs 
> > afterwards. Also, other tools can log to the same database, 
> creating lots of 
> > possibilities for cross-analysis.
> > I'm also looking into the possibilities of using SSL on one 
> network (the 
> > 'official' one), but I've already seen, that my conclusion 
> will be that this 
> > is not good. But even when using a network reserved for 
> logging purposes 
> > only, SSL seems good to me, as it can encrypt the traffic 
> (for instance, when 
> > I log which services are running on a computer, it's 
> perhaps better not to 
> > shout it across the network :-) ), and SSL gives also 
> authentication: is the 
> > one logging to the database really the one he says he is? 
> Although a seperate 
> > logging network minimizes chances of eavesdropping or 
> forging, I think that 
> > SSL gives just that little more security...
> > I only have to see what the performance penalty of using 
> SSL is, and if it is 
> > affordable.
> 
> this all depends on what you want...
> 
> If you use a seperate network for IDS then encryption won't make
> sense. If someone has access to sniff this network it is more 
> likely that he can also sniff your LAN network you are monitoring
> with snort. Therefore you only hide things an attacker should 
> already know...
> 
> Some databases like MySQL are already able to use SSL so there is
> no need to use an stunnel. (Actually it is not built in snort but
> I think it would only require an extra option in the connect string
> to the library call. So it is not really a problem to implement it.)
> 
> Two points are of course important with SSL:
> 
> 1. The impact on the insert rate. This will be decrease due to the
>    encryption. But this will depend on how many traffic is involved.
> 
> 2. Authentication of the clients/sensors. On a separate network this
>    should be no problem. But on a public line this could be a more
>    important problem. Gladly in TCP it is not so easy to spoof the 
>    source addresses but a valid certifcate would be a much better 
>    check than the IP address and username/password.
> 
> Best regards
> 
> Dirk
> --
> +-------------------------------------------------------------+
> | Dr. Dirk Geschke            | E-mail: geschke at ...1344...      |
> | Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
> | und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
> | 85551 Kirchheim / Germany   | Domagkstrasse 7               |
> +-------------------------------------------------------------+
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list