Re: [Snort-users] Database output
This is a discussion on Re: [Snort-users] Database output within the Snort forums, part of the System Security and Security Related category; Hi Erwin, > I'm using a postgresql database to store the output of my snort sensors, but > what ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-11-2003
|
|||
|
|||
Re: [Snort-users] Database output
Hi Erwin,
> I'm using a postgresql database to store the output of my snort sensors, but > what happens if the database is temporarily unavailable (for instance, > connecting fails due to a heavy load on network / database)? Does snort keep > the queries for sending when database connectivity is restored? Or are these > queries dropped? > In my opinion, storing these queries temporarily is the safest solution, as we > must certainly log data when a severe attack on our network takes place... > And then chances are bigger that we can't connect to the database > immediately. > And does snort open a database connection for every query it sends? Or is > there some sort of persistent connection (for example one that times out > after 1 minute of inactivity, closing the connection then)... > I'd like to use SSL connections to the database, using stunnel, but opening a > connection for every query would have severe consequences for network and > server. this are a lot of questions... First: The database output plugin has a major problem if the database dies. Actually the Insert() will fail and there is no mechanism built in to react on this problem. The alerts are not stored temporarily, they were silently dropped by the database output plugin (maybe another plugin stores them but that is another story). If the database is available again, you have to reconnect. But since the ouput plugin ignores the error messages you can't try a reconnect. (This is only done on startup of snort). Finally: The database connection is opened once (on startup of snort or on a reconfigure, which is at least restarts snort). After this the connection is persistant as long as the database is available. Therefore it should be possible to connect via a stunnel or a ssh tunnel. But I strongly recommend to use a different network for reporting alerts to a central database server. Don't use the "official" lines you are sniffing. And with a seperate network encryption should not be necessary. (BTW: What are you concerned of? All data could be sniffed? But this is what snort already does, so if someone can sniff your line he will already see the same as snort... It would make sense if the sensors are connect via WAN to the central database but then I would suggest to use a local database and access them via ssh/ssl to check the content. This should be much less traffic and less dangerous if there is a problem with the network.) Best regards Dirk -- +-------------------------------------------------------------+ | Dr. Dirk Geschke | E-mail: geschke@genua.de | | Gesellschaft fuer Netzwerk | Tel. : +49-(0)-89-991950-131 | | und Unix Administration mbH | Fax : +49-(0)-89-991950-999 | | 85551 Kirchheim / Germany | Domagkstrasse 7 | +-------------------------------------------------------------+ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
