Snort mailing list archives
Re: Secure Connection to transfer logs.
From: beenph <beenph () gmail com>
Date: Thu, 29 Apr 2010 14:38:31 -0400
I will not talk about mysql here because i dont know but im sure it quite similar, but as of postgresql libraries, they can be build with SSL (generally depending on your build option).
From there generally its a matter of passing the option to the library
ref: http://www.postgresql.org/docs/8.2/static/libpq-connect.html <snip> sslmode This option determines whether or with what priority an SSL connection will be negotiated with the server. There are four modes: disable will attempt only an unencrypted SSL connection; allow will negotiate, trying first a non-SSL connection, then if that fails, trying an SSL connection; prefer (the default) will negotiate, trying first an SSL connection, then if that fails, trying a regular non-SSL connection; require will try only an SSL connection. If PostgreSQL is compiled without SSL support, using option require will cause an error, while options allow and prefer will be accepted but libpq will not in fact attempt an SSL connection. requiressl This option is deprecated in favor of the sslmode setting. If set to 1, an SSL connection to the server is required (this is equivalent to sslmode require). libpq will then refuse to connect if the server does not accept an SSL connection. If set to 0 (default), libpq will negotiate the connection type with the server (equivalent to sslmode prefer). This option is only available if PostgreSQL is compiled with SSL support. </snip> But since barnyard2 uses PQsetdblogin the following code could be changed to: <old> #ifdef ENABLE_POSTGRESQL if( data->shared->dbtype_id == DB_POSTGRESQL ) { data->p_connection = PQsetdbLogin(data->shared->host,data->port, NULL, NULL, data->shared->dbname, data->user, data->password); if(PQstatus(data->p_connection) == CONNECTION_BAD) { PQfinish(data->p_connection); FatalError("database: Connection to database '%s' failed\n", data->shared->dbname); } } #endif </old> <new> #ifdef ENABLE_POSTGRESQL const char ssloption[] = "sslmode=require"; if( data->shared->dbtype_id == DB_POSTGRESQL ) { data->p_connection = PQsetdbLogin(data->shared->host,data->port, ssloption, NULL, data->shared->dbname, data->user, data->password); if(PQstatus(data->p_connection) == CONNECTION_BAD) { PQfinish(data->p_connection); FatalError("database: Connection to database '%s' failed\n", data->shared->dbname); } } #endif </new> Its quite transparent and remove an external point of faillure over the Stunnel. As long as your database backend support SSL, and im sure its quite trivial to enable for mysql also. -elz On Thu, Apr 29, 2010 at 2:18 PM, Garland, Ken R <garlandkr () gmail com> wrote:
After chatting in #Snorby on freenode this is the route I'm going to be taking as well. Thanks. On Thu, Apr 29, 2010 at 2:09 PM, Randal T. Rioux <randy () procyonlabs com> wrote:On Thu, April 29, 2010 12:54 pm, Garland, Ken R wrote:I'm setting up a Snorby front-end and planning to send the snort logs to it over the management interface. What would be considered a "best practice" in regards to securely transferring the data. Using syslog-ng and ssl?I've used Stunnel for sending Barnyard(2) parsed unified(2) logs to a remote database server. Always a nice added layer of security. Randy ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Secure Connection to transfer logs. Garland, Ken R (Apr 29)
- Re: Secure Connection to transfer logs. Randal T. Rioux (Apr 29)
- Re: Secure Connection to transfer logs. Garland, Ken R (Apr 29)
- Re: Secure Connection to transfer logs. beenph (Apr 29)
- Re: Secure Connection to transfer logs. Randal T. Rioux (Apr 29)
- Re: Secure Connection to transfer logs. firnsy (Apr 29)
- Re: Secure Connection to transfer logs. Garland, Ken R (Apr 29)
- Re: Secure Connection to transfer logs. Randal T. Rioux (Apr 29)
- Re: Secure Connection to transfer logs. Joel Esler (Apr 29)