Re: DB Rules

["Jason Robertson" <jason () ifuture com>]

[Reply Inline]

On 19 Aug 2001, at 21:50, Erek Adams wrote:

> On Sun, 19 Aug 2001, Jason Robertson wrote:
>
> > actually you wouldn't have to worry so much about -HUPing the database, if
> > it's running a sql database, or the likes just insert the data directly into
> > the database, when you are ready you rehup everything, it would then open a
> > connection to the database do select * from rules, and then close the
> > database.  As for others, that's what clustered databases, can be used for.
>
> I'm all for centralized data!  :)  In my work, I deal _very_ closely with
> LDAP.  I think that if Snort had an LDAP plugin, it would rock, but that's my
> opinion. :)  LDAP kicks ass, but is _NOT_ the fix for everything.  You just have
> to keep that in mind.

LDAP isn't a fixall, like NDS isn't a Fix all(Though I do like it over the NT 
Domain System)

> > It's the methodolgy I am using for my pam module actually for postgresql,
> > which is a multiple database engine design, so I have a backup which both db's
> > update each other, though I am planning to add a front end to that as well..
> > to provide a caching option, to store a number of transactions.. Though I wish
> > the db servers had an option to cache in a connection, especially inserts,
> > which can be where the biggest delays can occur.
>
> Very, very nice.  I _think_ (take that for what you will :), that the DB
> output plugin is being reworked a bit.  Between that rework and BarnYard, I thik
> we're going to see a whole new breed of snort.  Marty and crew are like code
> demons--It's amazing.  Hell, it takes me 3-5 days to write a GW-BASIC "Hello
> World" program, and they're turning out amazing things in just a few HOURS!

I know there is some reworks, as some changes were requests I asked, well 
the big one I asked was for them to change the create_postgresql to use 
Foreign Keys.  And I know what it's like to work on code, if I wasn't so busy 
with at least 400 other odd jobs, and at least 10 programming projects in 
which I have as much help, as my brain will give me.

> [Blatant Plug:  Everyone needs to go out and buy an OpenSnort Sensor and
> Management Console.  Make the Pointy-Hair types do it!  It'll make your job
> simpler! http://www.sourcefire.com/ :-]
>
> > But the biggest benefit, is that you can simplify, and reduce the number
> > of areas to maintain, it is the reason for my sql pam and nss modules I
> > have been working on and going nuts on it.. I am thinking of a different
> > system, I would love to use kerberos, but after looking at it.. I don't
> > have a need for that level of system, and then again using DES, there is
> > now programs that can crack DES in real time, so since it's pretty much
> > internal anyways, I am working on a networked auth system.. for that
> > purpose..  jason
>
> Very cool.  But one thing that I'm not quite understanding--Why wouldn't a
> 'Master Control Program' (Sorry, too much Tron...) using flat files, and ssh
> keys work just as well?  The infrastucture already exists in most setups, you've
> got simple control over your files, configs, rules, etc.  It's secure, prebuilt,
> preinstalled and works.  No extra things to break.  If you can't ssh to a
> sensor, something is wrong...  No, OpenSSH isn't the end-all-be-all, but it's
> simple, handy, and almost no overhead (if you have a good PRNG).


But here comes the other problem.  If you have 4 sensors, do you want 4 
sensors with ssh, that all have root access?  Remember ssh1.x has had 
problems since the beginning, and openssh does go back to that.  But also if 
you run the original ssh, it could also be a problem, since if I remember their 
2.x code recently also had a big backdoor that allowed root access..
And many cases this must be used in root access, depending on 
configuration. (boy I wish trusted systems, eg trustedBSD, were easier to 
find, and were more stable then they currently are)

And as for the other person, you can still lose data, through both manner of 
having a rules file, and at least on postgres (I haven't checked mysql) you 
could easily have a notify, in which the sensors are told of when the file is 
updated, and it could then reload the file list.

I am working on a databased option for our user's mailspool, big reason, is to 
save some processing time, and to allow for concurrency. (also to make it 
easier to clean up user's mail, when they hit 10,000 <1 k messages)  The 
side benefit, is that I can chroot the smtp server, and pop3 server, and I 
would then only need a single file for them to store mail to, which would be 
the db pipe, as well as authentication this way would be nice, since we do 
have nearly 400 domains, that will be transfered here in the next while, and it 
would be greatly simplified to allow them to specify a domain on auth as 
well.  But sadly I must code this as well.

Jason





---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users