[Snort-users] Secure Connection to transfer logs.

beenph beenph at ...11827...
Thu Apr 29 14:38:31 EDT 2010


I will not talk about mysql here because i dont know but im sure it
quite similar, but as of postgresql libraries,
they can be build with SSL (generally depending on your build option).

>From there generally its a matter of passing the option to the library

ref: http://www.postgresql.org/docs/8.2/static/libpq-connect.html
<snip>
sslmode
This option determines whether or with what priority an SSL connection
will be negotiated with the server. There are four modes: disable will
attempt only an unencrypted SSL connection; allow will negotiate,
trying first a non-SSL connection, then if that fails, trying an SSL
connection; prefer (the default) will negotiate, trying first an SSL
connection, then if that fails, trying a regular non-SSL connection;
require will try only an SSL connection.

If PostgreSQL is compiled without SSL support, using option require
will cause an error, while options allow and prefer will be accepted
but libpq will not in fact attempt an SSL connection.

requiressl
This option is deprecated in favor of the sslmode setting.

If set to 1, an SSL connection to the server is required (this is
equivalent to sslmode require). libpq will then refuse to connect if
the server does not accept an SSL connection. If set to 0 (default),
libpq will negotiate the connection type with the server (equivalent
to sslmode prefer). This option is only available if PostgreSQL is
compiled with SSL support.
</snip>


But since barnyard2 uses PQsetdblogin the following code could be changed to:

<old>
#ifdef ENABLE_POSTGRESQL
    if( data->shared->dbtype_id == DB_POSTGRESQL )
    {
        data->p_connection =
            PQsetdbLogin(data->shared->host,data->port, NULL, NULL,
                         data->shared->dbname, data->user, data->password);

        if(PQstatus(data->p_connection) == CONNECTION_BAD)
        {
            PQfinish(data->p_connection);
            FatalError("database: Connection to database '%s'
failed\n", data->shared->dbname);
        }
    }
#endif
</old>

<new>
#ifdef ENABLE_POSTGRESQL
   const char ssloption[] = "sslmode=require";

    if( data->shared->dbtype_id == DB_POSTGRESQL )
    {
        data->p_connection =
            PQsetdbLogin(data->shared->host,data->port, ssloption, NULL,
                         data->shared->dbname, data->user, data->password);

        if(PQstatus(data->p_connection) == CONNECTION_BAD)
        {
            PQfinish(data->p_connection);
            FatalError("database: Connection to database '%s'
failed\n", data->shared->dbname);
        }
    }
#endif
</new>


Its quite transparent and remove an external point of faillure over
the Stunnel.

As long as your database backend support SSL, and im sure its quite
trivial to enable for mysql also.

-elz

On Thu, Apr 29, 2010 at 2:18 PM, Garland, Ken R <garlandkr at ...11827...> wrote:
> After chatting in #Snorby on freenode this is the route I'm going to be
> taking as well.
>
> Thanks.
>
> On Thu, Apr 29, 2010 at 2:09 PM, Randal T. Rioux <randy at ...13561...>
> wrote:
>>
>> On Thu, April 29, 2010 12:54 pm, Garland, Ken R wrote:
>> > I'm setting up a Snorby front-end and planning to send the snort logs to
>> > it over the management interface. What would be considered a "best
>> > practice" in regards to securely transferring the data.
>> >
>> > Using syslog-ng and ssl?
>>
>> I've used Stunnel for sending Barnyard(2) parsed unified(2) logs to a
>> remote database server. Always a nice added layer of security.
>>
>> Randy
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list