I recently had to do some reconfiguration of an intrusion detection system (IDS) that used barnyard2 to parse unified2 output from suricata and insert the data into a remote mysql database. The system was previously configured to use ssh tunnels to encrypt all traffic. These tunnels were kept alive with autossh , but this configuration needed a lot of care and feeding due to hiccups in the network.
Due to the continual issues with the autossh tunnels, I decided to get rid of the ssh tunnels and simply enable native SSL for barnyard2. Unfortunately, this was a bit more time consuming than initially thought since I couldn’t find a lot of concrete examples of how to get this up and running. There’s a lot of forum discussions from which I found there are 5 required variables to enable SSL. These variables are:
After monkeying around with these variables for a few hours I realized that these SSL configuration variables were not global; they need to be appended directly to each output. This is the example I offer for others seeking this functionality (one very long line).
output database: log, mysql, user=snort password=snort_pw dbname=snort_db host=db.host.com ssl_key=/etc/ssl/certs/ssl_key.pem ssl_cert=/etc/ssl/certs/ssl_cert.pem ssl_ca=/etc/ssl/certs/ssl_ca.pem ssl_ca_path=/etc/ssl/certs ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA
NOTE: This is also dependent on your mysql server having SSL enabled.
You can test your mysql instance to find out if it supports SSL with the following mysql query:
SHOW GLOBAL VARIABLES LIKE 'have_%ssl';
As far as I know, SSL is *not* enabled by default. It’s pretty easy to enable by simply added these lines to the[mysqld] section of /etc/my.cnf.
ssl-ca=/etc/mysql-ssl/ca-cert.pem ssl-cert=/etc/mysql-ssl/server-cert.pem ssl-key=/etc/mysql-ssl/server-key.pem
Any questions, comments, issues just chime in below.