[Snort-users] [patch] snort with mysql+SSL support

Joel Esler jesler at ...1935...
Sat Jun 25 09:22:53 EDT 2011

I generally recommend that Snort users subscribe to all three.  Sometimes a conversation takes place on a list that affects everyone, and through no fault of the authors, it doesn't make it over to other lists.

Maybe that's my fault, maybe I should be summing it up on http://blog.snort.org for everyone to consume, so maybe that's my fault.

I have a couple posts I need to put up on the blog right now.  Want to get some opinion from the community on the direction for a couple things.


On Jun 25, 2011, at 9:05 AM, Ryan Steinmetz wrote:

> Joel,
> Thanks for the reply.  I do believe that barnyard2 does include support for using SSL with MySQL.
> I was unaware that removing the direct to db logging was being discussed...perhaps I should subscribe to -devel too? ;)
> -r
> On (06/25/11 08:23), Joel Esler wrote:
>> Ryan,
>> Thanks for submitting. However, in an upcoming release, we are going to be removing direct to db logging from Snort, instead relying on the much faster unified2 format. as discussed on the snort-devel list. 
>> We have already tuned over the schemas for the databases to the barnyard2 team, and are attempting to plan at what release we'll be removing this functionality. 
>> I think your idea is great, however, I'd encourage you to make contact with the barnyard2 team to see if they would be interested in incorporating the functionality into barnyard2. 
>> They should be on this list. 
>> -- 
>> Sent from my iPad
>> Please excuse the brevity
>> On Jun 24, 2011, at 9:52 PM, Ryan Steinmetz <rpsfa at ...15322...> wrote:
>>> All,
>>> I've thrown together a quick hack to require SSL use when logging to a mysql database.  I've tested this against v2.9.0.5 and it seems to work fine.
>>> A few notes:
>>> -If you are chrooting snort, you'll need to have a devfs mount within the new root as the mysql client libs will want access to /dev/urandom.
>>> -If you are chrooting snort, you will also need to have the certificates available within the chrooted environment as well.
>>> -Once the patch has been applied, snort will require SSL for all mysql connections.  To disable this you will need to revert the patch.
>>> -Certificates must exist in /usr/local/etc/snort/certs and be named as follows:
>>> --ca.pem: The CA's public key
>>> --cert.pem: The client's public key
>>> --key.pem: The client's private key
>>> Ideally, this would be incorporated into future releases and include config knobs to allow for flexibility.
>>> -r
>>> -- 
>>> Ryan Steinmetz
>>> PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2
>>> <sslpatch.diff>
> -- 
> Ryan Steinmetz
> PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2

More information about the Snort-users mailing list