Snort mailing list archives
Re: [patch] snort with mysql+SSL support
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 25 Jun 2011 08:23:32 -0400
Ryan, Thanks for submitting. However, in an upcoming release, we are going to be removing direct to db logging from Snort, instead relying on the much faster unified2 format. as discussed on the snort-devel list. We have already tuned over the schemas for the databases to the barnyard2 team, and are attempting to plan at what release we'll be removing this functionality. I think your idea is great, however, I'd encourage you to make contact with the barnyard2 team to see if they would be interested in incorporating the functionality into barnyard2. They should be on this list. -- Sent from my iPad Please excuse the brevity On Jun 24, 2011, at 9:52 PM, Ryan Steinmetz <rpsfa () rit edu> wrote:
All, I've thrown together a quick hack to require SSL use when logging to a mysql database. I've tested this against v2.9.0.5 and it seems to work fine. A few notes: -If you are chrooting snort, you'll need to have a devfs mount within the new root as the mysql client libs will want access to /dev/urandom. -If you are chrooting snort, you will also need to have the certificates available within the chrooted environment as well. -Once the patch has been applied, snort will require SSL for all mysql connections. To disable this you will need to revert the patch. -Certificates must exist in /usr/local/etc/snort/certs and be named as follows: --ca.pem: The CA's public key --cert.pem: The client's public key --key.pem: The client's private key Ideally, this would be incorporated into future releases and include config knobs to allow for flexibility. -r -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 <sslpatch.diff>
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- [patch] snort with mysql+SSL support Ryan Steinmetz (Jun 24)
- Re: [patch] snort with mysql+SSL support Joel Esler (Jun 25)
- Re: [patch] snort with mysql+SSL support Ryan Steinmetz (Jun 25)
- Re: [patch] snort with mysql+SSL support Joel Esler (Jun 25)
- Re: [patch] snort with mysql+SSL support Ryan Steinmetz (Jun 25)
- Re: [patch] snort with mysql+SSL support Joel Esler (Jun 25)