[Snort-users] Snort logging to encrypted MySQL (ssl) server?

David DeCoster decoster at ...10463...
Tue Nov 4 09:31:04 EST 2003


I have the SSH tunneling working, but I was just trying to find out if
there was a way to make snort work with the SSL features in MySQL 4. 
That way, I can eliminate another point of failure if SSH dies for some
reason.

Does anyone know if there is a patch available for the spo_database
plugin to make encrypted MySQL work?

Thanks again,

-dave

On Tue, 2003-11-04 at 05:05, jon baer wrote:
> you could try to install ssh on the server/client and tunnel the traffic ...
> 
> ssh -L 3306:server.com:3306 user at ...5168...
> 
> then change your snort.conf to point to localhost ... i think the problem is
> just that the plugin does not handle ssl correctly.
> 
> - jon
> 
> ----- Original Message -----
> From: "David DeCoster" <decoster at ...10463...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Tuesday, November 04, 2003 11:33 AM
> Subject: [Snort-users] Snort logging to encrypted MySQL (ssl) server?
> 
> 
> > Hello all--
> >
> > I have a question that is driving me nuts.  I have a remote snort sensor
> > (running ver. 2.0.2 on Debian testing) that I need to have log to a
> > MySQL database in my office (also on Debian testing and MySQL is version
> > 4.0.3).
> >
> > The sensor needs to send the MySQL traffic over a hostile network (aka.
> > one I do not control), so I do not want the mysql traffic sent in the
> > clear.
> >
> > I have MySQL 4.0.3 installed on the sensor (client, libraries, and
> > headers) and the database computer.  I enabled SSL (X.509 certificates)
> > on the MySQL server and I am able to get an encrypted connection back to
> > the database server using the command-line 'mysql' command.
> >
> > When I tried to make this work with snort, it failed and I was not able
> > to login to the MySQL database (and snort rolls over and dies).
> >
> > Does anyone have any ideas on how to make snort log to MySQL with SSL?
> > I've tried recompiling snort with the MySQL libraries and includes from
> > 4.0.3, but nothing seems to work.

-- 
David DeCoster <decoster at ...10463...>





More information about the Snort-users mailing list