Github Education Pack
October 22, 2015

Enable Native SSL for barnyard2

 

I recently had to do some reconfiguration of an intrusion detection system (IDS) that used barnyard2 to parse unified2 output from suricata and insert the data into a remote mysql database. The system was previously configured to use ssh tunnels to encrypt all traffic. These tunnels were kept alive with autossh , but this configuration needed a lot of care and feeding due to hiccups in the network.

Due to the continual issues with the autossh tunnels, I decided to get rid of the ssh tunnels and simply enable native SSL for barnyard2. Unfortunately, this was a bit more time consuming than initially thought since I couldn’t find a lot of concrete examples of how to get this up and running. There’s a lot of forum discussions from which I found there are 5 required variables to enable SSL. These variables are:

  • ssl_key – the name of the SSL key file to use for establishing a secure
    connection.
  • ssl_cert – the path of the SSL certificate file to user for establishing
    a secure connection.
  • ssl_ca – the path to a file that contains a list of trusted SSL CAs.
  • ssl_ca_path – The path to a directory that contains trusted SSL CA
    certificates in PEM format.
  • ssl_cipher – A list of allowable ciphers to user for SSL encryption. For
    greatest portability, the cipher list should be of one or more
    cipher names, separated by colons.

After monkeying around with these variables for a few hours I realized that these SSL configuration variables were not global; they need to be appended directly to each output. This is the example I offer for others seeking this functionality (one very long line).

output database: log, mysql, user=snort password=snort_pw dbname=snort_db host=db.host.com ssl_key=/etc/ssl/certs/ssl_key.pem ssl_cert=/etc/ssl/certs/ssl_cert.pem ssl_ca=/etc/ssl/certs/ssl_ca.pem ssl_ca_path=/etc/ssl/certs ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA

NOTE: This is also dependent on your mysql server having SSL enabled.

You can test your mysql instance to find out if it supports SSL with the following mysql query:

SHOW GLOBAL VARIABLES LIKE 'have_%ssl';

As far as I know, SSL is *not* enabled by default. It’s pretty easy to enable by simply added these lines to the[mysqld] section of /etc/my.cnf.

ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem

Any questions, comments, issues just chime in below.

Leave a Reply

Your email address will not be published. Required fields are marked *