Hi, Ofir Arkin (OA) and Pete Finnigan (PF) posted messages partially quoted below. OA> Oracle security and IDS monitoring of the database is a VERY big issue OA> when we are talking about major corporations using Oracle as their OA> master DB of choice. Yes it is a big issue. Just purchasing Oracle, the machine to run it on, hiring and/or training staff, and customizing the database and tools is an investment with an uncertain payback. PF> ... if this is because there is a lack of interest in Oracle security PF> or because there is genuinely nothing out there. There is not much out there because of price of entry. Only organizations that have significant amounts of data generated by various IDS sensors would find it useful. My company developed something called Voyeur, and the current version uses Oracle. I am not certain what the status is of Voyeur as the people who developed it have left the company. It was orginally developed around MySQL, but MyQSL could not handle the volume of data that was generated by some of our clients. PF> ... i have decided to write an Oracle IDS myself. Go for it. PF> ... whether it will be free or commercial, ... Do both. I would suggest that you actually design your IDS to use both Oracle and MySQL (or similar database). The free version would only provide basic IDS functionality, and the commercial version would have value added features. PF> ... what features they feel would be important ... Feature number one would be security of the database. The collected information would be very valuable to any potential attacker. Severely limit access to the entire database. Feature number two would be to use the database for more than IDS. The collected information should be considered to be part of "corporate history". I don't know if I would want to use the database for realtime monitoring. Realtime monitoring should be done on the data prior to storage in the database. I would say the focus of the analysis on the database should be looking at time periods ranging from a couple of days to a few months. PF> Not sure about an interface ( GUI ) yet, maybe Java based. Java or HTTP. Both are platform independant and you have lots examples to draw upon. PF> The signatures will be easy to define and be stored in the PF> database encrypted. What is the point of encryption? Where is/are the decryption key(s) kept? Returning to the issue of free or commercial, you really need to decide this early on as this will influence key design and implementation decisions. If you decide on free, then use your own environment and needs to guide these decisions. Otherwise, you will need to consider a much wider set of issues on which to base your decisions about the design and implementation. Good luck & B Cing U Buck --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 07:39:53 PDT