[Snort-users] [patch] snort with mysql+SSL support

Joel Esler jesler at ...1935...
Sat Jun 25 08:23:32 EDT 2011


Ryan,

Thanks for submitting. However, in an upcoming release, we are going to be removing direct to db logging from Snort, instead relying on the much faster unified2 format. as discussed on the snort-devel list. 

We have already tuned over the schemas for the databases to the barnyard2 team, and are attempting to plan at what release we'll be removing this functionality. 

I think your idea is great, however, I'd encourage you to make contact with the barnyard2 team to see if they would be interested in incorporating the functionality into barnyard2. 

They should be on this list. 

-- 
Sent from my iPad
Please excuse the brevity

On Jun 24, 2011, at 9:52 PM, Ryan Steinmetz <rpsfa at ...15322...> wrote:

> All,
> 
> I've thrown together a quick hack to require SSL use when logging to a mysql database.  I've tested this against v2.9.0.5 and it seems to work fine.
> 
> A few notes:
> -If you are chrooting snort, you'll need to have a devfs mount within the new root as the mysql client libs will want access to /dev/urandom.
> -If you are chrooting snort, you will also need to have the certificates available within the chrooted environment as well.
> -Once the patch has been applied, snort will require SSL for all mysql connections.  To disable this you will need to revert the patch.
> -Certificates must exist in /usr/local/etc/snort/certs and be named as follows:
> --ca.pem: The CA's public key
> --cert.pem: The client's public key
> --key.pem: The client's private key
> 
> Ideally, this would be incorporated into future releases and include config knobs to allow for flexibility.
> 
> -r
> 
> -- 
> Ryan Steinmetz
> PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2
> <sslpatch.diff>




More information about the Snort-users mailing list