RE: Needed: sample stunnel 4.04 stunnel.conf files

["robert schwartz" <robert () mrsquirrel com>]

> I've been trying to get a Snort sensor to work through 
> stunnel to a Mysql data collector for the last few days... 
> without success. 
> The problem is figuring out all the needs to go in the 
> stunnel.conf files in the sensor and collector. Would some very wise 
> snorter help this newbie out with a couple of example .conf files?
>
> tia
>
> Allen Witt, Network Security Administrator
> SAIC
> 865-425-5199

Here is what I did you might do it differently.  The master server runs
mysql and stunnel as a daemon listening on port 3307 to decrypt and send
to port 3306 (mysql).  You could pick any port for the encrypted
communications, and any database socket for whatever DB you chose.  I am
using OpenSSL for authentication.  I generated some OpenSSL certificates
for this too so I could use the "verify = 3" feature to mutually
authenticate via SSL pem encoded certificates (just read the manual for
OpenSSL for how-to create the pem file and break it in 1/2 to make a
cert file it's super easy). You can of course do this w/o mutual
authentication by setting "verify = " I believe but I didn't explore
that option.

The remote sensors use daemontools to manage snort and stunnel processes
so the "foreground = yes" feature of the remote sensor stunnel's is for
that, you won't need it unless you want to use daemontools also (which
you should think about). 

Using this scheme has a lot of benefits outside the
encryption/authentication, like the snort user from the remote sensor is
always looking like localhost to the DB, so you can deploy TONS of
sensors quick and easy w/o needing to give that person root on the DB
console.  

Stunnel.conf from the database server:
cert = /etc/stunnel/mysql.pem
pid =
client = no
CAfile = /etc/stunnel/cmysql.cert
verify = 3
[3306]
accept = 3307
connect = 3306

Stunnel.conf from the remote sensors:
pid =
foreground = yes
cert = /etc/stunnel/cmysql.pem
CAfile = /etc/stunnel/mysql.cert
verify = 3
client = yes
[3307]
accept = 3306
connect = ip.ofthe.database.server:3307




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users