[Snort-users] Secure Connection to transfer logs.

Randal T. Rioux randy at ...13561...
Thu Apr 29 15:11:50 EDT 2010


This is a great idea.

Firnsy... calling firnsy... what say you? Add a --with-pgsql-ssl flag?

Thanks
Randy


On Thu, April 29, 2010 2:38 pm, beenph wrote:
> I will not talk about mysql here because i dont know but im sure it
> quite similar, but as of postgresql libraries,
> they can be build with SSL (generally depending on your build option).
>
> From there generally its a matter of passing the option to the library
>
> ref: http://www.postgresql.org/docs/8.2/static/libpq-connect.html
> <snip>
> sslmode
> This option determines whether or with what priority an SSL connection
> will be negotiated with the server. There are four modes: disable will
> attempt only an unencrypted SSL connection; allow will negotiate,
> trying first a non-SSL connection, then if that fails, trying an SSL
> connection; prefer (the default) will negotiate, trying first an SSL
> connection, then if that fails, trying a regular non-SSL connection;
> require will try only an SSL connection.
>
> If PostgreSQL is compiled without SSL support, using option require
> will cause an error, while options allow and prefer will be accepted
> but libpq will not in fact attempt an SSL connection.
>
> requiressl
> This option is deprecated in favor of the sslmode setting.
>
> If set to 1, an SSL connection to the server is required (this is
> equivalent to sslmode require). libpq will then refuse to connect if
> the server does not accept an SSL connection. If set to 0 (default),
> libpq will negotiate the connection type with the server (equivalent
> to sslmode prefer). This option is only available if PostgreSQL is
> compiled with SSL support.
> </snip>
>
>
> But since barnyard2 uses PQsetdblogin the following code could be changed
> to:
>
> <old>
> #ifdef ENABLE_POSTGRESQL
>     if( data->shared->dbtype_id == DB_POSTGRESQL )
>     {
>         data->p_connection =
>             PQsetdbLogin(data->shared->host,data->port, NULL, NULL,
>                          data->shared->dbname, data->user,
> data->password);
>
>         if(PQstatus(data->p_connection) == CONNECTION_BAD)
>         {
>             PQfinish(data->p_connection);
>             FatalError("database: Connection to database '%s'
> failed\n", data->shared->dbname);
>         }
>     }
> #endif
> </old>
>
> <new>
> #ifdef ENABLE_POSTGRESQL
>    const char ssloption[] = "sslmode=require";
>
>     if( data->shared->dbtype_id == DB_POSTGRESQL )
>     {
>         data->p_connection =
>             PQsetdbLogin(data->shared->host,data->port, ssloption, NULL,
>                          data->shared->dbname, data->user,
> data->password);
>
>         if(PQstatus(data->p_connection) == CONNECTION_BAD)
>         {
>             PQfinish(data->p_connection);
>             FatalError("database: Connection to database '%s'
> failed\n", data->shared->dbname);
>         }
>     }
> #endif
> </new>
>
>
> Its quite transparent and remove an external point of faillure over
> the Stunnel.
>
> As long as your database backend support SSL, and im sure its quite
> trivial to enable for mysql also.
>
> -elz
>
> On Thu, Apr 29, 2010 at 2:18 PM, Garland, Ken R <garlandkr at ...11827...>
> wrote:
>> After chatting in #Snorby on freenode this is the route I'm going to be
>> taking as well.
>>
>> Thanks.
>>
>> On Thu, Apr 29, 2010 at 2:09 PM, Randal T. Rioux <randy at ...13561...>
>> wrote:
>>>
>>> On Thu, April 29, 2010 12:54 pm, Garland, Ken R wrote:
>>> > I'm setting up a Snorby front-end and planning to send the snort logs
>>> to
>>> > it over the management interface. What would be considered a "best
>>> > practice" in regards to securely transferring the data.
>>> >
>>> > Using syslog-ng and ssl?
>>>
>>> I've used Stunnel for sending Barnyard(2) parsed unified(2) logs to a
>>> remote database server. Always a nice added layer of security.
>>>
>>> Randy
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>






More information about the Snort-users mailing list