RE: [logs] Oracle IDS

From: lbuchanaat_private
Date: Fri Sep 21 2001 - 07:21:04 PDT

  • Next message: Jacques Thomas: "Re: AW: [logs] Webserver logs to database - Toward data mining"

    Hi,
    
    Ofir Arkin  (OA)  and Pete Finnigan (PF) posted messages partially quoted
    below.
    
    OA> Oracle security and IDS monitoring of the database is a VERY big issue
    OA> when we are talking about major corporations using Oracle as their
    OA> master DB of choice.
    
    Yes it is a big issue.  Just purchasing Oracle, the machine to run it on,
    hiring and/or training staff, and customizing the database and tools is an
    investment with an uncertain payback.
    
    PF> ... if this is because there is a lack of interest in Oracle security
    PF> or because there is genuinely nothing out there.
    
    There is not much out there because of price of entry.  Only organizations
    that have significant amounts of data generated by various IDS sensors
    would find it useful.  My company developed something called Voyeur, and
    the current version uses Oracle.  I am not certain what the status is of
    Voyeur as the people who developed it have left the company.  It was
    orginally developed around MySQL, but MyQSL could not handle the volume of
    data that was generated by some of our clients.
    
    PF> ... i have decided to write an Oracle IDS myself.
    
    Go for it.
    
    PF> ... whether it will be free or commercial, ...
    
    Do both.  I would suggest that you actually design your IDS to use both
    Oracle and MySQL (or similar database).  The free version would only
    provide basic IDS functionality, and the commercial version would have
    value added features.
    
    PF> ... what features they feel would be important ...
    
    Feature number one would be security of the database.  The collected
    information would be very valuable to any potential attacker.  Severely
    limit access to the entire database.
    
    Feature number two would be to use the database for more than IDS.  The
    collected information should be considered to be part of "corporate
    history".
    
    I don't know if I would want to use the database for realtime monitoring.
    Realtime monitoring should be done on the data prior to storage in the
    database.  I would say the focus of the analysis on the database should be
    looking at time periods ranging from a couple of days to a few months.
    
    PF> Not sure about an interface ( GUI ) yet, maybe Java based.
    
    Java or HTTP.  Both are platform independant and you have lots examples to
    draw upon.
    
    PF> The signatures will be easy to define and be stored in the
    PF> database encrypted.
    
    What is the point of encryption?  Where is/are the decryption key(s) kept?
    
    Returning to the issue of free or commercial, you really need to decide
    this early on as this will influence key design and implementation
    decisions.  If you decide on free, then use your own environment and needs
    to guide these decisions.  Otherwise, you will need to consider a much
    wider set of issues on which to base your decisions about the design and
    implementation.
    
    Good luck & B Cing U
    
    Buck
    
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 07:39:53 PDT