Re: [patch] snort with mysql+SSL support

[Ryan Steinmetz <rpsfa () rit edu>]

Joel,

Thanks for the reply.  I do believe that barnyard2 does include support for using SSL with MySQL.

I was unaware that removing the direct to db logging was being discussed...perhaps I should subscribe to -devel too? ;)

-r

On (06/25/11 08:23), Joel Esler wrote:
> Ryan,
>
> Thanks for submitting. However, in an upcoming release, we are going to be removing direct to db logging from Snort, 
> instead relying on the much faster unified2 format. as discussed on the snort-devel list. 
>
> We have already tuned over the schemas for the databases to the barnyard2 team, and are attempting to plan at what 
> release we'll be removing this functionality. 
>
> I think your idea is great, however, I'd encourage you to make contact with the barnyard2 team to see if they would 
> be interested in incorporating the functionality into barnyard2. 
>
> They should be on this list. 
>
> -- 
> Sent from my iPad
> Please excuse the brevity
>
> On Jun 24, 2011, at 9:52 PM, Ryan Steinmetz <rpsfa () rit edu> wrote:
>
> > All,
> >
> > I've thrown together a quick hack to require SSL use when logging to a mysql database.  I've tested this against 
> > v2.9.0.5 and it seems to work fine.
> >
> > A few notes:
> > -If you are chrooting snort, you'll need to have a devfs mount within the new root as the mysql client libs will 
> > want access to /dev/urandom.
> > -If you are chrooting snort, you will also need to have the certificates available within the chrooted environment 
> > as well.
> > -Once the patch has been applied, snort will require SSL for all mysql connections.  To disable this you will need 
> > to revert the patch.
> > -Certificates must exist in /usr/local/etc/snort/certs and be named as follows:
> > --ca.pem: The CA's public key
> > --cert.pem: The client's public key
> > --key.pem: The client's private key
> >
> > Ideally, this would be incorporated into future releases and include config knobs to allow for flexibility.
> >
> > -r
> >
> > -- 
> > Ryan Steinmetz
> > PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2
> > <sslpatch.diff>

-- 
Ryan Steinmetz
PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a 
definitive record of customers, application performance, security 
threats, fraudulent activity and more. Splunk takes this data and makes 
sense of it. Business sense. IT sense. Common sense.. 
http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation