Snort mailing list archives

Re: Secure Connection to transfer logs.

From: beenph <beenph () gmail com>
Date: Thu, 29 Apr 2010 14:38:31 -0400

I will not talk about mysql here because i dont know but im sure it
quite similar, but as of postgresql libraries,
they can be build with SSL (generally depending on your build option).

From there generally its a matter of passing the option to the library


ref: http://www.postgresql.org/docs/8.2/static/libpq-connect.html
<snip>
sslmode
This option determines whether or with what priority an SSL connection
will be negotiated with the server. There are four modes: disable will
attempt only an unencrypted SSL connection; allow will negotiate,
trying first a non-SSL connection, then if that fails, trying an SSL
connection; prefer (the default) will negotiate, trying first an SSL
connection, then if that fails, trying a regular non-SSL connection;
require will try only an SSL connection.

If PostgreSQL is compiled without SSL support, using option require
will cause an error, while options allow and prefer will be accepted
but libpq will not in fact attempt an SSL connection.

requiressl
This option is deprecated in favor of the sslmode setting.

If set to 1, an SSL connection to the server is required (this is
equivalent to sslmode require). libpq will then refuse to connect if
the server does not accept an SSL connection. If set to 0 (default),
libpq will negotiate the connection type with the server (equivalent
to sslmode prefer). This option is only available if PostgreSQL is
compiled with SSL support.
</snip>


But since barnyard2 uses PQsetdblogin the following code could be changed to:

<old>
#ifdef ENABLE_POSTGRESQL
    if( data->shared->dbtype_id == DB_POSTGRESQL )
    {
        data->p_connection =
            PQsetdbLogin(data->shared->host,data->port, NULL, NULL,
                         data->shared->dbname, data->user, data->password);

        if(PQstatus(data->p_connection) == CONNECTION_BAD)
        {
            PQfinish(data->p_connection);
            FatalError("database: Connection to database '%s'
failed\n", data->shared->dbname);
        }
    }
#endif
</old>

<new>
#ifdef ENABLE_POSTGRESQL
   const char ssloption[] = "sslmode=require";

    if( data->shared->dbtype_id == DB_POSTGRESQL )
    {
        data->p_connection =
            PQsetdbLogin(data->shared->host,data->port, ssloption, NULL,
                         data->shared->dbname, data->user, data->password);

        if(PQstatus(data->p_connection) == CONNECTION_BAD)
        {
            PQfinish(data->p_connection);
            FatalError("database: Connection to database '%s'
failed\n", data->shared->dbname);
        }
    }
#endif
</new>


Its quite transparent and remove an external point of faillure over
the Stunnel.

As long as your database backend support SSL, and im sure its quite
trivial to enable for mysql also.

-elz

On Thu, Apr 29, 2010 at 2:18 PM, Garland, Ken R <garlandkr () gmail com> wrote:

After chatting in #Snorby on freenode this is the route I'm going to be
taking as well.

Thanks.

On Thu, Apr 29, 2010 at 2:09 PM, Randal T. Rioux <randy () procyonlabs com>
wrote:


On Thu, April 29, 2010 12:54 pm, Garland, Ken R wrote:

I'm setting up a Snorby front-end and planning to send the snort logs to
it over the management interface. What would be considered a "best
practice" in regards to securely transferring the data.

Using syslog-ng and ssl?


I've used Stunnel for sending Barnyard(2) parsed unified(2) logs to a
remote database server. Always a nice added layer of security.

Randy




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Secure Connection to transfer logs. Garland, Ken R (Apr 29)
- Re: Secure Connection to transfer logs. Randal T. Rioux (Apr 29)
  - Re: Secure Connection to transfer logs. Garland, Ken R (Apr 29)
    - Re: Secure Connection to transfer logs. beenph (Apr 29)
    - Re: Secure Connection to transfer logs. Randal T. Rioux (Apr 29)
    - Re: Secure Connection to transfer logs. firnsy (Apr 29)
  - Re: Secure Connection to transfer logs. Joel Esler (Apr 29)