[Snort-users] Database output

Erwin Van de Velde erwin.vandevelde at ...10361...
Thu Dec 11 09:28:03 EST 2003


> Some databases like MySQL are already able to use SSL so there is
> no need to use an stunnel. (Actually it is not built in snort but
> I think it would only require an extra option in the connect string
> to the library call. So it is not really a problem to implement it.)

I need stunnel when I want the client to use its own certificate, that is then 
verified by the server.

> Two points are of course important with SSL:
> 1. The impact on the insert rate. This will be decrease due to the
>    encryption. But this will depend on how many traffic is involved.

I noticed, but it is foremost the setup of the connection, afterwards the 
costs are acceptably low.

> 2. Authentication of the clients/sensors. On a separate network this
>    should be no problem. But on a public line this could be a more
>    important problem. Gladly in TCP it is not so easy to spoof the
>    source addresses but a valid certifcate would be a much better
>    check than the IP address and username/password.

Okay, spoofing TCP is indeed not easy, but I also want to use an authenticated 
way for the client to tell it's still there (+/- every minute, configurable). 
Without authentication, someone could take my client down and start acting as 
if he was the client, setting up his own TCP connection to the server, 
telling the client is still there (As I don't want to use apersistent TCP 
connection here, because in that case, the server needs to keep a lot of 
connections open in large networks). This is dangerous, as the client also 
notifies the server when services on the host change their status: Running 
<-> Stopped... So: not authenticating would permit the attacker to create 
false negatives on service statuses.
This is of course all done outside of snort.


More information about the Snort-users mailing list