Snort mailing list archives
Re: DB Rules
From: "Jason Robertson" <jason () ifuture com>
Date: Mon, 20 Aug 2001 15:13:47 -0400
[Reply Inline] On 19 Aug 2001, at 21:50, Erek Adams wrote:
On Sun, 19 Aug 2001, Jason Robertson wrote:actually you wouldn't have to worry so much about -HUPing the database, if it's running a sql database, or the likes just insert the data directly into the database, when you are ready you rehup everything, it would then open a connection to the database do select * from rules, and then close the database. As for others, that's what clustered databases, can be used for.I'm all for centralized data! :) In my work, I deal _very_ closely with LDAP. I think that if Snort had an LDAP plugin, it would rock, but that's my opinion. :) LDAP kicks ass, but is _NOT_ the fix for everything. You just have to keep that in mind.
LDAP isn't a fixall, like NDS isn't a Fix all(Though I do like it over the NT Domain System)
It's the methodolgy I am using for my pam module actually for postgresql, which is a multiple database engine design, so I have a backup which both db's update each other, though I am planning to add a front end to that as well.. to provide a caching option, to store a number of transactions.. Though I wish the db servers had an option to cache in a connection, especially inserts, which can be where the biggest delays can occur.Very, very nice. I _think_ (take that for what you will :), that the DB output plugin is being reworked a bit. Between that rework and BarnYard, I thik we're going to see a whole new breed of snort. Marty and crew are like code demons--It's amazing. Hell, it takes me 3-5 days to write a GW-BASIC "Hello World" program, and they're turning out amazing things in just a few HOURS!
I know there is some reworks, as some changes were requests I asked, well the big one I asked was for them to change the create_postgresql to use Foreign Keys. And I know what it's like to work on code, if I wasn't so busy with at least 400 other odd jobs, and at least 10 programming projects in which I have as much help, as my brain will give me.
[Blatant Plug: Everyone needs to go out and buy an OpenSnort Sensor and Management Console. Make the Pointy-Hair types do it! It'll make your job simpler! http://www.sourcefire.com/ :-]But the biggest benefit, is that you can simplify, and reduce the number of areas to maintain, it is the reason for my sql pam and nss modules I have been working on and going nuts on it.. I am thinking of a different system, I would love to use kerberos, but after looking at it.. I don't have a need for that level of system, and then again using DES, there is now programs that can crack DES in real time, so since it's pretty much internal anyways, I am working on a networked auth system.. for that purpose.. jasonVery cool. But one thing that I'm not quite understanding--Why wouldn't a 'Master Control Program' (Sorry, too much Tron...) using flat files, and ssh keys work just as well? The infrastucture already exists in most setups, you've got simple control over your files, configs, rules, etc. It's secure, prebuilt, preinstalled and works. No extra things to break. If you can't ssh to a sensor, something is wrong... No, OpenSSH isn't the end-all-be-all, but it's simple, handy, and almost no overhead (if you have a good PRNG).
But here comes the other problem. If you have 4 sensors, do you want 4 sensors with ssh, that all have root access? Remember ssh1.x has had problems since the beginning, and openssh does go back to that. But also if you run the original ssh, it could also be a problem, since if I remember their 2.x code recently also had a big backdoor that allowed root access.. And many cases this must be used in root access, depending on configuration. (boy I wish trusted systems, eg trustedBSD, were easier to find, and were more stable then they currently are) And as for the other person, you can still lose data, through both manner of having a rules file, and at least on postgres (I haven't checked mysql) you could easily have a notify, in which the sensors are told of when the file is updated, and it could then reload the file list. I am working on a databased option for our user's mailspool, big reason, is to save some processing time, and to allow for concurrency. (also to make it easier to clean up user's mail, when they hit 10,000 <1 k messages) The side benefit, is that I can chroot the smtp server, and pop3 server, and I would then only need a single file for them to store mail to, which would be the db pipe, as well as authentication this way would be nice, since we do have nearly 400 domains, that will be transfered here in the next while, and it would be greatly simplified to allow them to specify a domain on auth as well. But sadly I must code this as well. Jason --- Jason Robertson Network Analyst jason () ifutureinc com http://www.astroadvice.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Jason Robertson (Aug 19)
- Re: DB Rules Erek Adams (Aug 19)
- Re: DB Rules Jason Robertson (Aug 20)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Chris Green (Aug 17)
- Re: DB Rules Mike Baptiste (Aug 18)
- <Possible follow-ups>
- RE: DB Rules Tom Sevy (Aug 18)
- Re: DB Rules Chris Green (Aug 18)