What is the best strategy for detecting database intrusions?

Filesystem intrusions can be detecting using tools such as Snort but it is more difficult to detect intrusions into a database, such as deletion of rows, modification of tables, etc. What is the best way to monitor this to detect unwanted changes in the DB?

I am using MySQL so anything that is not database-agnostic should ideally be aimed at MySQL.


Solution 1:

It depends how do you connect to your database. If you are using a web application, Snort (and other NIDS) will be able to detect SQL injections and other attacks that happen over HTTP.

The issue is if you are using SSL or encrypted connections to your db, your NIDS will be blind to the traffic.

That's why log analysis is very important. The only way your db talks back to you is through the logs and many DBAs are not familiar with it. I really don't understand why everyone accepts web logging as familiar, but neglect db logging (I will rant more about it another time).

To enable mysql log: http://www.ossec.net/wiki/index.php/SQL_Logging#MySQL_Logging

I also use the open source OSSEC to monitor my MySQL logs and it works great.

Solution 2:

I don't use MySQL, so I can't speak to any specific features of the platform.

It sounds like you want an audit trail of some kind. Speaking in a general RDBMS sense, you might be able to use triggers to get you some of the functionality you're looking for. I don't think you're going to get an audit-trail of schema modification unless MySQL represents the schema as tables that can, in turn, have triggers placed on them.

Of course, all that trigger nonsense is moot if someone gets "root" level access to the database and just unhooks the triggers before they start monkeying with the data. At that point, all bets are off. (...and that doesn't even start to deal with someone getting "root" level access to the OS hosting the database... byte-level manipuation of the database files, mounting them up on a database instance that has had security features "hacked" out of it, etc... smile)

Solution 3:

If you really want to track every change to your tables, you'll have to do something crazy like enable the MySQL query log and scan for the bad stuff using something like Simple Event Correlator. Don't do this though, because it will kill your server's performance.

Honestly, your best bet is to prevent unwanted changes in the first place by using MySQL permissions.

Solution 4:

Snort can still be helpful. The catch is knowing where your database traffic should come from. If it's coming from a source other than what's approved, you can block it, obviously, within MySQL. However, you can also set up alerts in your IDS to see this sort of thing.

With respect to an attack coming from an authorized IP address, that's a bit of a challenge. The key question there is what should a connection be allowed to do and what shouldn't it? And that goes back to setting permissions properly. If a legitimate user connects from a legitimate IP and needs DELETE permissions and wants to be malicious, there's not a whole lot you can do about it during the actual modification. A suggestion was given for auditing, but it hurts your performance. I'm not sure you have an effective control if users can directly access the database and make changes. All database platforms, not just MySQL, struggle with this. You have a trusted user making an authorized change. There's only so much you can do.

Solution 5:

There are commercial products designed for this. I think we looked at DbProtect (www.appsecinc.com) and it was major dollars to implement, but we ended up not doing it. I also have seen Guardium (www.guardium.com). Both claim to support some version of MySQL.