Snort mailing list archives
RE: Needed: sample stunnel 4.04 stunnel.conf files
From: "robert schwartz" <robert () mrsquirrel com>
Date: Wed, 28 Jan 2004 12:43:07 -0800
I've been trying to get a Snort sensor to work through stunnel to a Mysql data collector for the last few days... without success. The problem is figuring out all the needs to go in the stunnel.conf files in the sensor and collector. Would some very wise snorter help this newbie out with a couple of example .conf files? tia Allen Witt, Network Security Administrator SAIC 865-425-5199
Here is what I did you might do it differently. The master server runs mysql and stunnel as a daemon listening on port 3307 to decrypt and send to port 3306 (mysql). You could pick any port for the encrypted communications, and any database socket for whatever DB you chose. I am using OpenSSL for authentication. I generated some OpenSSL certificates for this too so I could use the "verify = 3" feature to mutually authenticate via SSL pem encoded certificates (just read the manual for OpenSSL for how-to create the pem file and break it in 1/2 to make a cert file it's super easy). You can of course do this w/o mutual authentication by setting "verify = " I believe but I didn't explore that option. The remote sensors use daemontools to manage snort and stunnel processes so the "foreground = yes" feature of the remote sensor stunnel's is for that, you won't need it unless you want to use daemontools also (which you should think about). Using this scheme has a lot of benefits outside the encryption/authentication, like the snort user from the remote sensor is always looking like localhost to the DB, so you can deploy TONS of sensors quick and easy w/o needing to give that person root on the DB console. Stunnel.conf from the database server: cert = /etc/stunnel/mysql.pem pid = client = no CAfile = /etc/stunnel/cmysql.cert verify = 3 [3306] accept = 3307 connect = 3306 Stunnel.conf from the remote sensors: pid = foreground = yes cert = /etc/stunnel/cmysql.pem CAfile = /etc/stunnel/mysql.cert verify = 3 client = yes [3307] accept = 3306 connect = ip.ofthe.database.server:3307 ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Needed: sample stunnel 4.04 stunnel.conf files Witt, Allen (Jan 27)
- Re: Needed: sample stunnel 4.04 stunnel.conf files twig les (Jan 28)
- RE: Needed: sample stunnel 4.04 stunnel.conf files robert schwartz (Jan 28)