[Snort-users] Securing Host Based Snort Installs

johnny.venter johnny.venter at ...15370...
Wed Jun 5 14:25:59 EDT 2013


Since the credentials are stored in files, you could use file/folder permissions in Windows to restrict read/write/modify access. 

Only caveat is that members of the local administrators group can take ownership and then modify file permissions.

Another options is to use EFS on Windows.  You can logon with your credentials and encrypt the Snort directories.  Even if an administrator then takes ownership of the directories/files or has Full Control, they will *not* be able to view the document because EFS is linked to your user account.

Not sure how you installed Snort so you might have to enable EFS with the Snort service account to allow the Snort service to encrypt and decrypt the file on the fly.

--
Johnny


---- On Fri, 31 May 2013 18:59:11 -0700 Craig Wright wrote ---- 

>I will send details tomorrow
> On 01/06/2013 11:58 AM, "Steven McLaughlin" wrote:
> Hi All,
>
>
>I have a snort station up and running with a couple of sensor tap ports and MySQL database. Using the schema that ships with Snorby.
>
>
>I was wondering if anyone could shed some light on security best practice for authentication to the DB from remote Snort or Barnyard2 connections.
> 
>
>I can happily run a MySQL connection over stunnel for encryption or use SSL through the MySQL DB natively. However my concern relates to the credentials used for authentication.
>
>
>Both Snort, and Barnyard2 database connection configuration store the password in the .conf files. Which is fine when I am running these sensors on a hardened server which is only accessed by security engineers. However with remote sensors this has the risk of database compromise.
> 
>For example. If I have a snort sensor happily running on a Windows 2008 server which authenticates to my mothership DB server (which I may not have control who logs in on the Win box.) Lets say a malicious user steals the DB authentication credentials from the .conf file whilst logged into the Windows server. They then have write access to the central snort database and could effectively delete large portions of it.
> 
>
>Is there any best practice or philosphy for deployment to avoid this risk with remote HIDS based snort sensors?
>
>
>thanks,
>
>
>Steve
> 
>
>
> 
>
>
>
>
>
>
>
> 
> ------------------------------------------------------------------------------ 
>How ServiceNow helps IT people transform IT departments: 
>1. A cloud service to automate IT design, transition and operations 
>2. Dashboards that offer high-level views of enterprise services 
>3. A single system of record for all IT processes 
>http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________ 
>Snort-users mailing list 
>Snort-users at lists.sourceforge.net 
>Go to this URL to change user options or unsubscribe: 
>https://lists.sourceforge.net/lists/listinfo/snort-users 
>Snort-users list archive: 
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> 
>Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list